SA 540 Can't get port forwarding to work.

Unanswered Question
Dec 7th, 2009
User Badges:

Now that the DMZ port doesn't seem to work, I have placed our Web and CRM server on a VLAN. I have created a firewall forwarding rule -> WAN to LAN HTTP allow always and pointed it to the internal IP address.

When I type in our domain name in the browser I only get the Cisco remote management page, no forwarding to the web server.

What am I doing wrong?

I have tried to disable the remote management, but that still doesn't change anything. (btw, how do I change which port the RMON uses, it's grayed out in the setup page)

SA 540 firmware 1.0.39

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Smith Mon, 12/07/2009 - 16:29
User Badges:
  • Gold, 750 points or more

You can't currently change the RMON port.  The port forwarding should work, but is your session changing to HTTPS? 

Note: taking off RMON will break your SSL VPN's. 

hhwesterg Mon, 12/07/2009 - 17:52
User Badges:

Yes, my session is changing to HTTPS and sending me to my Cisco portal and not my web server. Any suggestions?

I know that changing the RMON will break my SSL VPN, I just had to try to se if it changed anything.

Steven Smith Tue, 12/08/2009 - 08:03
User Badges:
  • Gold, 750 points or more

Could you post some screen shots of the FW rules you have setup?  If you don't want to show them here, please PM them to me.

cisco-ud33 Mon, 12/07/2009 - 23:13
User Badges:

SA-540 1.015 (downgrade the 1.039 firmware, it break static route...)


i have the same problem.

You try to to get your web server with its fqdn ? like me....

and you get the Cisco remote management page ! like me...

try with its fixed ip (internal) and its works.

i am very confuse with the SA540, no telnet, no ios access ?

for other products a simple 'ip nat loopback on ' and you can hit your server in lan with the fqdn.

with the Remote management no way for put a rules to make this works.

i am very very disappointed with this SA-540 SMB

So any solutions ?



Steven DiStefano Tue, 12/08/2009 - 07:37
User Badges:
  • Blue, 1500 points or more

Confirming the 1.0.39 breaking Static Routes.   It doesnt allow subnets to be added, only individual hosts.   I reported to the BU last night as well.....


Steven Smith Tue, 12/08/2009 - 08:04
User Badges:
  • Gold, 750 points or more

We do have a bug written against the hairpinning problem.  It should be fixed soon, but I don't have the exact date.

hhwesterg, are you doing hairpinning as well?  Does this work from outside your device?

hhwesterg Thu, 12/10/2009 - 00:50
User Badges:

No it does not work from outside my devise, I just get to the RMON page, no forwarding to my Web server at all. I've taken all FW rules away and just have the WAN to LAN allow HTTP "ip address of server" but still nothing.

I got confirmation that the DMZ/Optional port does not work, I can't SSL from our Apple computers to our Network, and now it seems like we can't get our Web or e-mail servers working either if there is not port forwarding. On top of this, it now also seems like the SA 540 is blocking EDNS packets, slowing down our DNS server. Please tell me that there is something to be done, it can't be that Cisco have put a "Pro" devise out where only 9 out of 10 ports work and that you can not host Web, email or CRM servers because there is no port forwarding, not to mention it only supports IE browsers for SSL.

I don't mean to sound cranky, but we have spend so much time trying to get this devise to work, please help. (I wish I could give you some logs, but logging doesn't seem to work either)

cisco-ud33 Thu, 12/10/2009 - 00:54
User Badges:

-> Steven

...fixed soon : any date ? ;)

-> hhwesterg

try, if you can, modify your internal dns server.

create a A record for your web server, crm... (internal ip)

this is what i am doing....

no class, no secure, but working while the bug was closed.

Philippe Demaret

hhwesterg Thu, 12/10/2009 - 01:07
User Badges:

Thanks for your reply, I appreciate it, it's 1am and I'm getting a little tired and cranky working on this thing (it's cisco, it should work) so I probably shouldn't be posting now. Anyhow.

I'm not sure if I understood you right.

Did you have the same problem with your DNS server behind the SA 500?

And, you found a work around by adding A records for your other servers?

Sitting on the DNS server I get this, so I'm not sure how adding A records for the other servers would help, I'll give it at try though, getting desperate here.



cisco-ud33 Fri, 12/11/2009 - 05:41
User Badges:

Hi hhwesterg :)

I have the same problem like you:

2 web server and 2 mail servers inside my lan (and subnet...)

rules for forwarding Wlan -> Lan works ONLY from outside my lan

from inside if i use the fqdn of the web servers or mail servers, i'll get the mangement console of the sa-540 !

i don't use the 2nd wan port in dmz but in wlan2

so, as the sa-540 in not be able to handle a connexion from inside lan to wlan with the real name (, i must use a record from my dns server.

a type A for associate an IP to a name

that's all.

i repeat, this is not cool and not clean....

i'm looking my old Zyxell P600 router and i cry....

this 'poor' router is able to do what a Cisco SA-540 can't do, at no comparable price 

the next time, i don't know if my company will buy Cisco...

not fot me !


Steven Smith Fri, 12/11/2009 - 15:33
User Badges:
  • Gold, 750 points or more

This is the hairpinning problem.  We are working for a resolution on this, but I do not have a date for it.

david.grudek Mon, 04/19/2010 - 08:52
User Badges:

Is this problem resolved yet?  This is a huge problem for me.  There was a new firmware just released for the sa520 but I did not see anything in it about hair pinning.  Please give us some status.  This issue has been going on for too long.  Cisco is too big of a network company to let such a big problem go on for so long.

biraja Mon, 04/19/2010 - 12:59
User Badges:

The firmware with NAT hairpinning will be available by end of this month.



I have upgraded our firmware on our SA540 to the 1.1.42 version from mid April. 

I am still experiencing the original problem reported by hhwesterg where the web server is on the LAN and a firewall forwarding rule -> WAN to LAN HTTP allow always and pointed it to the internal IP address is in place.  When I type in our domain name in the browser I get switched to https and servered the Cisco remote management page, no forwarding to the web server takes place.

Do we have a fix for this yet

weilia Mon, 06/28/2010 - 15:01
User Badges:
  • Cisco Employee,

Yes, NAT hairpining issue is fixed in the RC1 build. Please see below message on how to obtain the image.

A Release Candidate (RC1) build for the SA 500 is now available for Cisco customers and partners to evaluate. 
If you are an interested customer/partner, you can obtain an early build of the firmware by sending an
email to: [email protected] with your User ID in the subject line of the email. You will
then receive an email notification with instructions on how to download the firmware.

hhwesterg Thu, 12/10/2009 - 01:23
User Badges:

Like I said, I shouldn't be posting at this hour, I thought you replied to one of my other postings (DNS Server problems), I'll better try your suggestion tomorrow.



Steven Smith Thu, 12/10/2009 - 11:00
User Badges:
  • Gold, 750 points or more

No dates yet.  Sorry about that.

hhwesterg Thu, 12/10/2009 - 14:13
User Badges:

Hi Steven

Thanks for your call today, forwarding to our VLAN is working as it should. Though for some reason I can't check that even when I'm on a VPN to an other network in Europe (which have no connection to our local network here).



dmgalt2006 Thu, 12/30/2010 - 16:11
User Badges:

I'm having the previously mentioned issues.

SA520 - Firmeware 1.1.65

MAC pcs unable to connect to internal NAT loopback / NAT Hairping for internal web server.

MAC's connect with Outlook to Exchange using RPC over HTTPS and the redirect fails

Firewall rules image attached - WAN to LAN from any source forwards HTTPS traffic to destination address of internal server

The boxes eventualy time out

My current solution is to add a host entry for the A record


This Discussion