Cisco SA540 and problems with NAT

Unanswered Question
Oct 19th, 2009
User Badges:


I have problems with SA540 and NAT. I’m trying to use three public IP-addresses. One is for SA540, one is for Exchange-server and one is for Citrix server. I have read the SA540 Admin Guide and follow the instructions but the NAT doesn’t work. I can access to SA540 from the outside network but there is no connection for Exchange or Citrix servers from the outside networks. I have used Cisco ASA5505 before and they works just fine so I think some kind on knowledge about how this things should work. This is how I have done the Firewall rules (example is from HTTPS rule):

From Zone: WAN

To Zone: LAN

Service: HTTPS


Source Host: Any

Internal IP address: a.b.c.d (Exchange-server private IP)

External IP address: Other

Other IP address: e.f.g.h (Exchange-server public IP)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Smith Fri, 10/30/2009 - 11:44
User Badges:
  • Gold, 750 points or more

There is a bug written for the problem that you are seeing.  It isn't resolved yet.  I will let you know when this is resolved.  I do apologize for the inconvenience.

The bug ID is CSCtc52591.

jani.havia Fri, 10/30/2009 - 13:37
User Badges:

Thanks for your answer. We already get ASA5505 which is quite familiar to me. But it would be nice if we get the SA540 up and running so that we can use it in future.


Jani Havia

Does this apply to all static NAT'ing on this device?  Makes it pretty useless for anyone who has a server they need to expose.  Can you do a PAT only without a one-to-one?  I think this will be the last time I get burned by this Cisco SMB stuff.  All these devices end up being overpriced subpar POS's.

Steven Smith Tue, 11/03/2009 - 15:47
User Badges:
  • Gold, 750 points or more

You can do it with a single IP address. The problem is with multiple IP addresses.

StefanCreutz Wed, 11/04/2009 - 02:35
User Badges:

Any ETA on when this will be resolved? This is a serious issue that makes the device fairly useless!

festivalbussen Wed, 11/04/2009 - 02:39
User Badges:

I have the same problem and I have 4 webservers that I need to connect so when can we expect this problem to be solved?

jamccord Wed, 11/04/2009 - 05:46
User Badges:

As mentioned, this issue has a bug ID and will be addressed in the next revision of firmware.  As of now, there is not an ETA on the release.

robertfeenstra Tue, 11/10/2009 - 20:52
User Badges:

I guess the SA 520W has the same problem?

i just bought 2 of those and have no direct need for that feature but i was planning on buying the SA540 for our main office for the SSL-VPN.

But for that one i need that feature.

Is there a place where we can check on updates on the bugfix? or can we sign up for an alert when the new firmware comes out?

No command line access on these boxes?



jamccord Wed, 11/11/2009 - 06:14
User Badges:

As mentioned there is a bugtrack that is only available at this point to Cisco employee's.

The firmware for the SA540 is the same firmware for all SA500 devices so any issue with one platform will be carried across to the others.

There is no command line access to the SA500 devices.

festivalbussen Fri, 11/13/2009 - 04:19
User Badges:

I opened a case about this and they told me "there is no practice of presenting Beta versions of firmware to the customers" so no luck for me.

jamccord Fri, 11/13/2009 - 05:28
User Badges:

Who did you open a case with?  What is your case (SR) number?

Let me look it up and make sure the case was submitted properly.

You may also call the STAC at 1.866.606.1866

jamccord Fri, 11/13/2009 - 05:56
User Badges:

Your case has been requeued to Case Management and the point of contact should contact you regarding the beta firmware.

Have a great weekend,


jason.derstine Thu, 12/03/2009 - 10:04
User Badges:

What's the status on this?  It's completely ridiculous how long it is taking to get this issue resolved.  I have one of these devices just sitting in my office waiting to get installed at a customer, but it's worthless to them without 1-1 NAT.   Should i just return it?

Steven DiStefano Thu, 12/03/2009 - 10:09
User Badges:
  • Blue, 1500 points or more

Version 1.0.39 is available and should address this.

Please read release notes carefully.

Upgrade requires reconfiguration.


This Discussion