SA 540 Questions and Help Needed

Unanswered Question
Oct 5th, 2009
User Badges:

I've got 2 SA 540's.  Site to site setup was a breeze, but i've still got issues.  I'm disappointed by the fact the the ipsec vpn doesn't appear to support the cisco client, and thus the iphone (no place to put a security group name).  So I've got some questions if anybody knows the answers:

1.  How do i use a second public ip address for ssl and ipsec vpn traffic?  My first ip address is being used for nat and port forwarding to servers and i don't want to change this, because i'll have to make dns changes that could potentially affect mail flow.  my secondary public ip addresses are neither on the same subnet nor do they have the same gateway as my primary public ip addresses.

2.  Is support for the traditional ipsec cisco vpn client (same one used in iphone) on the roadmap?  If not, is some sort of iphone solution on the roadmap?

3.  Is there any way to telnet into the device for CLI like capabilities?  The Administration guide seems to indicate that there is, but I can't get into the SA 540with telnet, telnet/s, or ssh.

4.  Is supporting spaces and other characters like periods in user names for users on the roadmap?  I am currently having to use a replacement setting for user-id on my radius servers that changes email address into full usernames.  usernames on this network have spaces and periods.  i can't use email address to logon because the radius servers automatically prepend the domain\ to the user id and i can't figure out how to get that out.  this might also potentially solve the issue.

thanks in advance for any help.

oh, and i've got a list of xbox ports if anyone needs them.  it's longer than what most sites lead you to believe.  i was able to go from strict to open on a 1760.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jamccord Mon, 10/05/2009 - 14:41
User Badges:

1.  I will be putting this scenario in the lab to test.

2.  At the present time, there will be no support for the Cisco vpn client.

3.  I will also further test the CLI capabilities in the lab.

4.  I will look into this issue and get the appropriate answer.



beowulfs Sat, 10/17/2009 - 08:32
User Badges:

I've got an extra public ip address to play around with on the optional port for both ends, but do you or anyone have any more info?  thanks.

jamccord Mon, 10/19/2009 - 06:47
User Badges:

In regards to point 3 of your earlier post, there is no CLI support for the SA series routers.  The documentation is in error and correction to the documentation has been submitted.

Could you please be more specific as to what you need assistance with regarding the optional port?  What end result are you wanting to obtain?



beowulfs Mon, 10/19/2009 - 07:50
User Badges:

1.  I've got two public ip address, different subnets.  How do I use the second one for SSLVPN and QUICKVPN.  The first is dedicated to a NAT and a whole lot of PAT including ssl, that i can't break.

2.  Since traditional ipsec group vpn is not going to be supported, is some kind of iPhone vpn support on the roadmap?

3.  You answered.  Documentation is wrong.  Thank you.

4.  Is supporting spaces and other characters like periods on the roadmap for usernames.  My Domain users have spaces and periods in their names.  I did it on purpose to make it harder to hack.

5. New question.  How do I support more than one subnet for protected VPN traffic across a site to site tunnel and for clients, i.e. multi-site/subnet protected traffic?

These are all things I can do with a router or an ASA, but I wanted to give the SA540 a try so I could pitch to clients.


Steven Smith Wed, 10/28/2009 - 15:30
User Badges:
  • Gold, 750 points or more

For #1, there are some known issues about this problem.  I can't say when it will be implemented fully yet.  But it will be soon.

#2, we don't discuss roadmaps.  I don't know of any iPhone VPN software coming for this product currently, but if I can find out something more that I can share, I will let you know.

#4 Yes for spaces, I will check on other characters as well.

#5 is possible.  I don't have a box in front of me right now, but you don't do it in the wizard.  I believe you do it in VPN Policies or IKE policies.  I will look at my box tomorrow and tell you how.

guzuti560 Sun, 02/21/2010 - 12:30
User Badges:


i would be interessted in the iPhone VPN support too, if there is a possibility.

Thank you  Mario

Steven Smith Mon, 02/22/2010 - 08:12
User Badges:
  • Gold, 750 points or more

We can't really discuss the roadmap, but I will pass the feedback along.

massimiliano.porta Thu, 07/29/2010 - 07:04
User Badges:

Hi, could you be able to verify #5 in site-to-site ispsec vpn connections?

I really can not find where to say to protect other remote networks (current issue with SA540: ASA5505 remote vpn users are not being able to reach the SA540 local network).

Thank you,

Massimiliano Porta

juliomar Tue, 09/21/2010 - 09:34
User Badges:
  • Cisco Employee,

Hi Massimiliano,

As a follow up to question #5 above, dealing with SA 500 series connecting to multiple remote subnets...

There is a way to associate multiple LAN subnets to a single IKE Policy.  Please see the following post on the Cisco Small Business Security Community.

Let me know if this is similar scenario you face, or if not, can you elaborate more on your network topology.

Hope that helps you out.

Best regards,

Julio Martinez

Steven Smith Wed, 11/11/2009 - 07:35
User Badges:
  • Gold, 750 points or more

There is a fix for the one to one NAT issue.  Please contact TAC and get the beta firmware.  Please let me know how it works with IP's on different subnets, I haven't tested that myself and am interested to see how it works.

Also, since your IP's are one different subnets, are you using 1 wan port?  Do you have 2 different gateways?  What type of connection is this?

beowulfs Wed, 11/11/2009 - 08:45
User Badges:

Opening a case now.  I've got a single cable modem.  I can put a switch behind it and split it if need be.  In fact I had been doing that, but I've integrated everything back into the SA540 for traffic shaping.  I've still got the different subnets on one end, but on the other end, my cable company is consolidating ip address ranges and i've asked for 3 contiguous ip addresses for it.  however, they haven't finished routing it yet, so i still have 3 ip's on 3 subnets there.

case is open.  i'll pm the number.


This Discussion

Related Content