Problem with NAT on the SA 540

Unanswered Question
Mar 25th, 2010
User Badges:

Hi everyone I have an issue when setting up the SA 540 Security Appliance with regards to NAT.  On our current PIX501 I can map an outside IP to a NAT IP but don't see anywhere within the config to do it on the SA540 appliance.  I have added the necessary inbound rules with the ports to the appropriate internal IP but this will not work if the outside DNS is pointing to other REAL IP's other than the IP on the outside interface of the SA540.

Any thoughts on this??

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Alejandro Gallego Thu, 03/25/2010 - 07:13
User Badges:
  • Cisco Employee,

do you mean you need a one to one NAT?

public IP >> private IP; so IP NATs to directly?

if yes, go to firewall, IPv4 rules and create a rule like this:

from WAN to LAN; all services; allow; forward to IP of desired client (Do not add port)

mvidito007 Thu, 03/25/2010 - 07:29
User Badges:

hmm  not really.  Here's an example:

Our DNS points to say for an MX record for our exchange and our say FTP points to another server which has a DNS record of

I have set inbound rules for SMTP and FTP to point to the internal IP's of 10.x.x.x but if there is only the GW external IP on the SA540 how will it know to route properly??

Do you follow me, am I making any sense?

Here is a quick example of part of my config from my PIX:

static (inside,outside) netmask 0 0


Steven Smith Thu, 03/25/2010 - 08:02
User Badges:
  • Gold, 750 points or more

What software version are you running?  Earlier versions didn't have this.  The current versions do.

mvidito007 Thu, 03/25/2010 - 09:30
User Badges:

Steven I had just updated the firmware to 1.1.21 yesterday.


Alejandro Gallego Thu, 03/25/2010 - 11:43
User Badges:
  • Cisco Employee,

ok i think this is what you have,

public ips:;; ..... ==> SMTP ==> FTP ==> WAN

so i believe you have multiple public ips and you need the SA to know about these IP addresses. you will need to enter the other IPs under Networking; WAN; IP Alias. enter your ip addresses and appropriate subnet mask. once they are there, when you create the IPv4 rule you will have a dropdown menu at the bottom of the screen with all your assigned IPs. so when you create the SMTP rule you will select on the WAN. that will allow all SMTP traffic attached to that public IP to be forwarded to Exchange.

are we heading in the right direction?


This Discussion

Related Content