UC520 behind an SA540

Unanswered Question
Dec 21st, 2009
User Badges:

I recently installed a SA540 in front of my UC520.  The SA540 is handling the internet facing traffic.  The SA is using two interfaces WAN (public IP) and LAN (

I was able to get the UC520 working and clients are able to connect through to the internet, etc.  Clients on the UC are either data ( or voice 10.x.x.x

One of the reasons I choose to install an SA540 was for the firewall rules.  When I create a rule I can enter an IP from the UC range but the SA540 does not seem to apply the rules to the traffic.  The firewall rule creation only allows FROM: SECURE LAN to WAN or the other way around.

I am assuming the traffic is not being seen properly as the SA540 facing interface from the UC has a address.  If I setup a rule to block the MAC on this interface it blocks all traffic.

My question is how do I add the range into the SA54's secure LAN zone so that traffic is affected by rules I create.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Smith Tue, 12/22/2009 - 08:08
User Badges:
  • Gold, 750 points or more

Can you give some more information about what you are trying to do with the rules?  Is NAT enabled on the UC500?  Is the FW enabled on the UC500?

They should both be disabled and static routing to the UC for the voice and data subnets should be there.

What version of the SA540 are you running?

carter.chad Tue, 12/22/2009 - 08:20
User Badges:

I am trying to create scheduled based internet access rules based on source IP and or MAC address.

FW disabled on UC

Nat disabled on UC

static IP assigned to UC WAN interface ( - that IP is part of the SA540 LAN range (

Latest version of SA540 firmware 1.0.39

The SA540 interface for creating rules seems very straight forward.   I created a schedule and then created a rule based on that schedule.  I also just tried BLOCK without using schedule but any users on the UC LAN range ( do not seem to be affected by the rules I create on the SA540 even though I specifically define their IP.  I also tried MAC filtering but that only works if I filter the MAC address of the UC which effectively blocks everyone on the UC side.

I do have static routes defined on the SA to LAN IP addresses on the UC.  Without doing that traffic would not flow.  I would prefer to define the network instead of the individual IP addresses but I do not see how that can be done.



Steven Smith Tue, 12/22/2009 - 08:28
User Badges:
  • Gold, 750 points or more

So, you are saying that you block 192.168.10.X from using port 80 outbound for example?  Let me try to recreate this problem.

carter.chad Tue, 12/22/2009 - 09:07
User Badges:

Yes that would be pretty close.  I am looking to block all internet traffic from specific IP addresses in that range based on a time schedule.  A basic test could be block port 80 from 192.168.10.x

Steven Smith Wed, 01/13/2010 - 12:31
User Badges:
  • Gold, 750 points or more

Could you send me the sniffer of this?  I would be interested in forwarding this to our development team.

Steven Smith Tue, 12/22/2009 - 14:34
User Badges:
  • Gold, 750 points or more

I am able to successfully block this.  Make sure that you are using source address on your FW rules.  Make sure NAT is disabled on the UC.  Also, if you are using a schedule, make sure you have selected NTP servers that work for you and that you have selected the correct timezone.

carter.chad Tue, 12/22/2009 - 14:47
User Badges:

I checked NTP and time zone is correct.  I am using source address and NAT is disabled on the UC.  Does the SA540 need to be rebooted for rule changes to take effect?

Steven Smith Tue, 12/22/2009 - 14:51
User Badges:
  • Gold, 750 points or more

No, you don't have to reboot to disable NAT.  Can you post a screen shot of your firewall rule?  Also, can you post your UC500 config?

carter.chad Tue, 12/22/2009 - 16:25
User Badges:

I'm using CCA for all of this and NAT shows disabled there.  I checked my config using CLI and I do not see any NONAT statements anywhere. 

My question around reboot was in reference to the firewall rule changes on the SA540.

Attached is a screenshot of a rule.

carter.chad Thu, 01/14/2010 - 06:24
User Badges:

There is a new firmware posted that has solved my originally posted issue.  I can use firewall rules effectively.  It was posted Jan 12, 2010. Version 1.1.21

Steven Smith Thu, 01/14/2010 - 08:40
User Badges:
  • Gold, 750 points or more

I am not sure if this will fix the URI problem that you are having.  I have forwarded this info to development and will see what they come back with.

carter.chad Thu, 01/14/2010 - 08:47
User Badges:

I noticed that as well...all my rules, schedules, routing, etc....gone.

Steven Smith Thu, 01/14/2010 - 11:08
User Badges:
  • Gold, 750 points or more

I have confirmed with developers that this upgrade did do a factory reset.  I have also confirmed that this is the last upgrade that will have a factory reset.


This Discussion