SA520 firewall rules.

Unanswered Question
Oct 23rd, 2009
User Badges:

Hello, I'm working with a new SA520 appliance and may be running into a design limitation.  We are replacing our RV042 with this device and are not able to configure one-to-one NAT's in order to publish various internal systems to the internet for mail delivery, ftp and rdp access.  As I'm reading the documentation, it appears that the only place to publish servers to the public IP's is in the DMZ.  It this true?  In other words, is it not possible to publish private systems via NAT from the LAN zone?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Smith Fri, 10/23/2009 - 09:47
User Badges:
  • Gold, 750 points or more

Let me make sure I understand the request.  Do you want the box to have Multiple WAN IP addresses that you can use?

WAN IP A is what I use for my HTTP Server

WAN IP B is what I use for my SMTP Server


Or, do you just want the appropriate ports forwarded to a box on your local subnet?

byteryte Fri, 10/23/2009 - 09:54
User Badges:

Yes, each device published outside uses an individual public IP nat'd to an internal private address.  We have a .240 block of pubic static IP's.

Darren DeCroock Fri, 10/23/2009 - 10:05
User Badges:
  • Silver, 250 points or more

The instructions for setting up one-to-one NAT is shown in the Adminstrators Guide attached to this post on page 121.  "Configuring a Firewall Rule for Inbound Traffic"

Thank you,


byteryte Fri, 10/23/2009 - 10:15
User Badges:

Thanks for the help, Darren.  I've set those rules several times, but they don't work.  My concern here is what is written on page 67 of the same guide.  It seems to say that only systems in the DMZ can be published to the outside.

Darren DeCroock Fri, 10/23/2009 - 12:12
User Badges:
  • Silver, 250 points or more

The rule for WAN to LAN should be exactly like the rule listed below, with the only difference being "To Zone".  Change "DMZ" to "Secure (LAN)"

Allowing Inbound Traffic to a Web Server Using a Specified Public IP



You host a public web server on your local DMZ network. You want to

allow inbound HTTP requests from any outside IP address. Your ISP has provided

a static IP address that you want to expose to the public as your web server


Solution: Create an inbound rule as follows:

Parameter               Value

From Zone                 Insecure(WAN1)

To Zone                     DMZ

Service                      HTTP

Action                       ALLOW always

Source Hosts            Any

Internal IP       

External IP                Other

Other IP           (Public IP address)

byteryte Fri, 10/23/2009 - 12:18
User Badges:

That is exactly what I have been doing, but it doesn't work.  No traffic from the outside can access the system through the referenced public IP.  Also, that same system retains the default wan address as it's outbound IP as shown when visiting '', not the correct public IP as defined in the rule.

Before we go any farther, can I get a confirmation that publishing from the WAN to LAN definately does work?  Have you seen this work in a live installation?

Thanks again for your help.

joseph.santucci Sun, 10/25/2009 - 15:39
User Badges:

I am having exactly the same issue.  The instructions in the manual don's seem to work or be sufficient.  Is there a solution available?

byteryte Mon, 10/26/2009 - 14:08
User Badges:

Joseph, I'm afraid it's not looking very good for us.  If you start reading on page 67 "Configuring a DMZ" it's pretty clear that the DMZ is the only zone available for the publishing of public-facing devices.  While this may work fine for a web server or a front-end email server, it is not at all useful for an SBS server or for allowing RDP access to local workstations.  I guess, as a workaround, one could simply locate their entire network in the DMZ, but that is a silly handicap for a router which is supposed to be designed for small business.

I'm all ears if someone here knows something I'm missing.  It would save me several wasted hours and paying the restocking fee when it goes back to my supplier.

beowulfs Tue, 10/27/2009 - 16:21
User Badges:

did you set up a rule from lan secure to wan insecure dedicated optional wan as well, to allow traffic both ways?

i'm not sure it will help, but it's a guess.

i'm trying the same thing, but with ip's on different subnets.  even worse and i think untenable at this stage.  i'm beginning to wish i'd just gotten two asa's instead.  i just wanted to give these a shot since they were inexpensive gige devices.

byteryte Tue, 11/03/2009 - 08:42
User Badges:

Thanks Darren, that is what I was hoping to hear.  I appreciate you following up on this.

Best Wishes,


Steven Smith Wed, 11/11/2009 - 07:33
User Badges:
  • Gold, 750 points or more

There is a beta firmware fix for the NAT problem available now.  Please open a case and the TAC can get it for you.

byteryte Fri, 11/13/2009 - 14:08
User Badges:

Thanks for the update, Steven.  I'm going to wait for the final release before I apply it.  I'm using an RV042 right now and can wait.  I am hoping that this appliance performs as expected so we can push it across our customer base.  We are running into more and more installations which require VLAN support, but the networks are too small to justify an ASA.

Best Wishes,


jamccord Fri, 11/20/2009 - 08:22
User Badges:

I have posted this elsewhere, but wanted to make sure you became aware.

Version 1.0.17 firmware was released.

Jim Thomas Fri, 11/20/2009 - 09:00
User Badges:

I have not played with this firewall firt hand personally. Is this a GUI based appliance ? Is the OS from the ASA product line or is this truly a step up from the linksys line?



beowulfs Fri, 11/20/2009 - 09:06
User Badges:

Linksys type GUI with maybe a little more polish.  I'm actually going to have to get a couple of 5505's to replace my 540's.  they keep dropping the ipsec site to site vpn.  i've got a case open and i'm using beta firmware, but i haven't tried the newly release 17 firmware.  i'm on it now after i send logs.  no telnet or ssh access.  Ever.  Period.  Initial versions of the manual, and possibly current versions that allude to this are wrong.

byteryte Fri, 11/20/2009 - 15:37
User Badges:

jamccord wrote:

I have posted this elsewhere, but wanted to make sure you became aware.

Version 1.0.17 firmware was released.

I appreciate you following up on this.  My 520 is now working correctly after applying the firmware.

Thanks for everyone's help.