SA520 firewall rules.

Unanswered Question
Oct 23rd, 2009

Hello, I'm working with a new SA520 appliance and may be running into a design limitation.  We are replacing our RV042 with this device and are not able to configure one-to-one NAT's in order to publish various internal systems to the internet for mail delivery, ftp and rdp access.  As I'm reading the documentation, it appears that the only place to publish servers to the public IP's is in the DMZ.  It this true?  In other words, is it not possible to publish private systems via NAT from the LAN zone?

Thanks,

Steve

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven Smith Fri, 10/23/2009 - 09:47

Let me make sure I understand the request.  Do you want the box to have Multiple WAN IP addresses that you can use?

WAN IP A is what I use for my HTTP Server

WAN IP B is what I use for my SMTP Server

etc

Or, do you just want the appropriate ports forwarded to a box on your local subnet?

byteryte Fri, 10/23/2009 - 09:54

Yes, each device published outside uses an individual public IP nat'd to an internal private address.  We have a .240 block of pubic static IP's.

byteryte Fri, 10/23/2009 - 10:15

Thanks for the help, Darren.  I've set those rules several times, but they don't work.  My concern here is what is written on page 67 of the same guide.  It seems to say that only systems in the DMZ can be published to the outside.

Darren DeCroock Fri, 10/23/2009 - 12:12

The rule for WAN to LAN should be exactly like the rule listed below, with the only difference being "To Zone".  Change "DMZ" to "Secure (LAN)"

Allowing Inbound Traffic to a Web Server Using a Specified Public IP

Address

Situation:





You host a public web server on your local DMZ network. You want to

allow inbound HTTP requests from any outside IP address. Your ISP has provided

a static IP address that you want to expose to the public as your web server

address.



Solution: Create an inbound rule as follows:

Parameter               Value



From Zone                 Insecure(WAN1)

To Zone                     DMZ

Service                      HTTP

Action                       ALLOW always

Source Hosts            Any

Internal IP                 192.167.5.2

External IP                Other

Other IP                    209.165.201.225 (Public IP address)

byteryte Fri, 10/23/2009 - 12:18

That is exactly what I have been doing, but it doesn't work.  No traffic from the outside can access the system through the referenced public IP.  Also, that same system retains the default wan address as it's outbound IP as shown when visiting 'whatismyip.com', not the correct public IP as defined in the rule.

Before we go any farther, can I get a confirmation that publishing from the WAN to LAN definately does work?  Have you seen this work in a live installation?

Thanks again for your help.

joseph.santucci Sun, 10/25/2009 - 15:39

I am having exactly the same issue.  The instructions in the manual don's seem to work or be sufficient.  Is there a solution available?

byteryte Mon, 10/26/2009 - 14:08

Joseph, I'm afraid it's not looking very good for us.  If you start reading on page 67 "Configuring a DMZ" it's pretty clear that the DMZ is the only zone available for the publishing of public-facing devices.  While this may work fine for a web server or a front-end email server, it is not at all useful for an SBS server or for allowing RDP access to local workstations.  I guess, as a workaround, one could simply locate their entire network in the DMZ, but that is a silly handicap for a router which is supposed to be designed for small business.

I'm all ears if someone here knows something I'm missing.  It would save me several wasted hours and paying the restocking fee when it goes back to my supplier.

beowulfs Tue, 10/27/2009 - 16:21

did you set up a rule from lan secure to wan insecure dedicated optional wan as well, to allow traffic both ways?

i'm not sure it will help, but it's a guess.

i'm trying the same thing, but with ip's on different subnets.  even worse and i think untenable at this stage.  i'm beginning to wish i'd just gotten two asa's instead.  i just wanted to give these a shot since they were inexpensive gige devices.

byteryte Tue, 11/03/2009 - 08:42

Thanks Darren, that is what I was hoping to hear.  I appreciate you following up on this.

Best Wishes,

Steve

Steven Smith Wed, 11/11/2009 - 07:33

There is a beta firmware fix for the NAT problem available now.  Please open a case and the TAC can get it for you.

byteryte Fri, 11/13/2009 - 14:08

Thanks for the update, Steven.  I'm going to wait for the final release before I apply it.  I'm using an RV042 right now and can wait.  I am hoping that this appliance performs as expected so we can push it across our customer base.  We are running into more and more installations which require VLAN support, but the networks are too small to justify an ASA.

Best Wishes,

Steve

jamccord Fri, 11/20/2009 - 08:22

I have posted this elsewhere, but wanted to make sure you became aware.

Version 1.0.17 firmware was released.

James Thomas Fri, 11/20/2009 - 09:00

I have not played with this firewall firt hand personally. Is this a GUI based appliance ? Is the OS from the ASA product line or is this truly a step up from the linksys line?

Thanks

Jim

beowulfs Fri, 11/20/2009 - 09:06

Linksys type GUI with maybe a little more polish.  I'm actually going to have to get a couple of 5505's to replace my 540's.  they keep dropping the ipsec site to site vpn.  i've got a case open and i'm using beta firmware, but i haven't tried the newly release 17 firmware.  i'm on it now after i send logs.  no telnet or ssh access.  Ever.  Period.  Initial versions of the manual, and possibly current versions that allude to this are wrong.

byteryte Fri, 11/20/2009 - 15:37

jamccord wrote:

I have posted this elsewhere, but wanted to make sure you became aware.

Version 1.0.17 firmware was released.

I appreciate you following up on this.  My 520 is now working correctly after applying the firmware.

Thanks for everyone's help.

Steve

Actions

This Discussion

Related Content