Cisco SA540 and problems with NAT

jani.havia · ‎10-19-2009

Hi,

I have problems with SA540 and NAT. I’m trying to use three public IP-addresses. One is for SA540, one is for Exchange-server and one is for Citrix server. I have read the SA540 Admin Guide and follow the instructions but the NAT doesn’t work. I can access to SA540 from the outside network but there is no connection for Exchange or Citrix servers from the outside networks. I have used Cisco ASA5505 before and they works just fine so I think some kind on knowledge about how this things should work. This is how I have done the Firewall rules (example is from HTTPS rule):

From Zone: WAN

To Zone: LAN

Service: HTTPS

Action: ALLOW ALWAYS

Source Host: Any

Internal IP address: a.b.c.d (Exchange-server private IP)

External IP address: Other

Other IP address: e.f.g.h (Exchange-server public IP)

Steven Smith · ‎10-30-2009

There is a bug written for the problem that you are seeing. It isn't resolved yet. I will let you know when this is resolved. I do apologize for the inconvenience.

The bug ID is CSCtc52591.

jani.havia · ‎10-30-2009

Thanks for your answer. We already get ASA5505 which is quite familiar to me. But it would be nice if we get the SA540 up and running so that we can use it in future.

regards,

Jani Havia

matt · ‎11-03-2009

Does this apply to all static NAT'ing on this device? Makes it pretty useless for anyone who has a server they need to expose. Can you do a PAT only without a one-to-one? I think this will be the last time I get burned by this Cisco SMB stuff. All these devices end up being overpriced subpar POS's.

Steven Smith · ‎11-03-2009

You can do it with a single IP address. The problem is with multiple IP addresses.

StefanCreutz · ‎11-04-2009

Any ETA on when this will be resolved? This is a serious issue that makes the device fairly useless!

festivalbussen · ‎11-04-2009

I have the same problem and I have 4 webservers that I need to connect so when can we expect this problem to be solved?

jamccord · ‎11-04-2009

As mentioned, this issue has a bug ID and will be addressed in the next revision of firmware. As of now, there is not an ETA on the release.

robertfeenstra · ‎11-10-2009

I guess the SA 520W has the same problem?

i just bought 2 of those and have no direct need for that feature but i was planning on buying the SA540 for our main office for the SSL-VPN.

But for that one i need that feature.

Is there a place where we can check on updates on the bugfix? or can we sign up for an alert when the new firmware comes out?

No command line access on these boxes?

Thanks,

R.

Steven Smith · ‎11-11-2009

...

jamccord · ‎11-11-2009

As mentioned there is a bugtrack that is only available at this point to Cisco employee's.

The firmware for the SA540 is the same firmware for all SA500 devices so any issue with one platform will be carried across to the others.

There is no command line access to the SA500 devices.

festivalbussen · ‎11-13-2009

I opened a case about this and they told me "there is no practice of presenting Beta versions of firmware to the customers" so no luck for me.

festivalbussen · ‎11-13-2009

Dubbel post

jamccord · ‎11-13-2009

Who did you open a case with? What is your case (SR) number?

Let me look it up and make sure the case was submitted properly.

You may also call the STAC at 1.866.606.1866

festivalbussen · ‎11-13-2009

My case number is SR 612962033