Cisco (Linksys) RV042, 8 public IPs and port forwarding

Hi Experts

I'm considering getting a Cisco (Linksys) RV042 to handle my firewall.

I have 8 public IPs (92.60.107.55-62) and I need to forward ports from these IPs to servers in my LAN (10.0.0.10-20). Something like:
92.60.107.55 (port 3389) -> 10.0.0.10
92.60.107.56 (ports 80 and 443) -> 10.0.0.11
92.60.107.57 (ports 80 and 443) -> 10.0.0.12
92.60.107.58 (ports for ftp) -> 10.0.0.13

Can the RV042 do this for me?
I've read about the one-to-one NAT option, but I presume this opens ALL ports with the obvious security risks. Pretty much the same as putting the server unprotected onto the web?

RogerIvyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
I've only ever setup these devices for a single ip, however, the manual clearly states that you can do external IP ranges to internal IP ranges.  The subnets seem to require to be lined up exactly, see below.   It does not seem to like just random mappings....  

Taken from the RV0 manual:

Setup Tab - One-to-One NAT

One-to-One NAT creates a relationship which maps valid external addresses to internal addresses hidden by NAT.
Machines with an internal address may be accessed at the corresponding external valid IP address. See Figure
6-16.

Creating this relationship between internal and external addresses is done by defining internal and external
address ranges of equal length. Once that relationship is defined, the machine with the first internal address is
accessible at the first IP address in the external address range, and the second machine at the second external IP
address, and so on.
0
MikeKaneCommented:
Oh, and even once that is setup, you still need to create and apply an authorized "inbound services" list to allow inbound port 80 for example.
0
RogerIvyAuthor Commented:
Thanks MikeKane, so from what you have said even though I do a one-to-one NAT those servers will be secure because I still have to open the ports up?

Sorry to be so picky, it's just that we bought three routers that can't do the job and this time I want to make sure.
0
MikeKaneCommented:

>>because I still have to open the ports up

No no...  what I meant (and I should have been more clear) is that you need to create an access list to authorize the *only traffic you want*.    You need to create an allow and deny rule to match what you want to do.   By default, all ports are open.  

Taken from the manual pg 16:
http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf

One-to-One NAT affects how the firewall
functions work. Access to LAN devices from
the Internet is allowed unless additional Deny
access rules are configured on the Firewall >
Access Rules screen.



The RV0 screens are a little clunky, but I gotta admit the unit does work well once it is setup.   I have at least 3 of them in production right now for small branch offices servicing VPN tunnels back a main site.  Creating ACLs in these doesn't really follow the 'flow' that I am used to in the Cisco ASA appliance, so I would highly recommend an external port scan once your rules are in place.  

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.