Cisco SA540 and problems with NAT

Unanswered Question
Oct 19th, 2009


I have problems with SA540 and NAT. I’m trying to use three public IP-addresses. One is for SA540, one is for Exchange-server and one is for Citrix server. I have read the SA540 Admin Guide and follow the instructions but the NAT doesn’t work. I can access to SA540 from the outside network but there is no connection for Exchange or Citrix servers from the outside networks. I have used Cisco ASA5505 before and they works just fine so I think some kind on knowledge about how this things should work. This is how I have done the Firewall rules (example is from HTTPS rule):

From Zone: WAN

To Zone: LAN

Service: HTTPS


Source Host: Any

Internal IP address: a.b.c.d (Exchange-server private IP)

External IP address: Other

Other IP address: e.f.g.h (Exchange-server public IP)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Smith Fri, 10/30/2009 - 11:44

There is a bug written for the problem that you are seeing.  It isn't resolved yet.  I will let you know when this is resolved.  I do apologize for the inconvenience.

The bug ID is CSCtc52591.

jani.havia Fri, 10/30/2009 - 13:37

Thanks for your answer. We already get ASA5505 which is quite familiar to me. But it would be nice if we get the SA540 up and running so that we can use it in future.


Jani Havia

Steven Smith Tue, 11/03/2009 - 15:47

You can do it with a single IP address. The problem is with multiple IP addresses.

StefanCreutz Wed, 11/04/2009 - 02:35

Any ETA on when this will be resolved? This is a serious issue that makes the device fairly useless!

festivalbussen Wed, 11/04/2009 - 02:39

I have the same problem and I have 4 webservers that I need to connect so when can we expect this problem to be solved?

jamccord Wed, 11/04/2009 - 05:46

As mentioned, this issue has a bug ID and will be addressed in the next revision of firmware.  As of now, there is not an ETA on the release.

robertfeenstra Tue, 11/10/2009 - 20:52

I guess the SA 520W has the same problem?

i just bought 2 of those and have no direct need for that feature but i was planning on buying the SA540 for our main office for the SSL-VPN.

But for that one i need that feature.

Is there a place where we can check on updates on the bugfix? or can we sign up for an alert when the new firmware comes out?

No command line access on these boxes?



jamccord Wed, 11/11/2009 - 06:14

As mentioned there is a bugtrack that is only available at this point to Cisco employee's.

The firmware for the SA540 is the same firmware for all SA500 devices so any issue with one platform will be carried across to the others.

There is no command line access to the SA500 devices.

festivalbussen Fri, 11/13/2009 - 04:19

I opened a case about this and they told me "there is no practice of presenting Beta versions of firmware to the customers" so no luck for me.

jamccord Fri, 11/13/2009 - 05:28

Who did you open a case with?  What is your case (SR) number?

Let me look it up and make sure the case was submitted properly.

You may also call the STAC at 1.866.606.1866

jamccord Fri, 11/13/2009 - 05:56

Your case has been requeued to Case Management and the point of contact should contact you regarding the beta firmware.

Have a great weekend,


jason.derstine Thu, 12/03/2009 - 10:04

What's the status on this?  It's completely ridiculous how long it is taking to get this issue resolved.  I have one of these devices just sitting in my office waiting to get installed at a customer, but it's worthless to them without 1-1 NAT.   Should i just return it?

Steven DiStefano Thu, 12/03/2009 - 10:09

Version 1.0.39 is available and should address this.

Please read release notes carefully.

Upgrade requires reconfiguration.


This Discussion