03-25-2010 06:39 AM
Hi everyone I have an issue when setting up the SA 540 Security Appliance with regards to NAT. On our current PIX501 I can map an outside IP to a NAT IP but don't see anywhere within the config to do it on the SA540 appliance. I have added the necessary inbound rules with the ports to the appropriate internal IP but this will not work if the outside DNS is pointing to other REAL IP's other than the IP on the outside interface of the SA540.
Any thoughts on this??
Thanks in advance.
Mike
03-25-2010 07:13 AM
do you mean you need a one to one NAT?
public IP >> private IP; so IP 24.2.3.1 NATs to 192.168.75.20 directly?
if yes, go to firewall, IPv4 rules and create a rule like this:
from WAN to LAN; all services; allow; forward to IP of desired client (Do not add port)
03-25-2010 07:29 AM
hmm not really. Here's an example:
Our DNS points to say 24.2.3.2 for an MX record for our exchange and our say FTP points to another server which has a DNS record of 24.2.3.3.
I have set inbound rules for SMTP and FTP to point to the internal IP's of 10.x.x.x but if there is only the GW external IP on the SA540 how will it know to route properly??
Do you follow me, am I making any sense?
Here is a quick example of part of my config from my PIX:
static (inside,outside) 24.3.2.3 10.2.3.3 netmask 255.255.255.255 0 0
Mike
03-25-2010 08:02 AM
What software version are you running? Earlier versions didn't have this. The current versions do.
03-25-2010 09:30 AM
Steven I had just updated the firmware to 1.1.21 yesterday.
Mike
03-25-2010 11:43 AM
ok i think this is what you have,
public ips: 24.2.3.2; 24.2.3.3; 24.2.3.4 .....
24.2.3.3 ==> SMTP
24.2.3.3 ==> FTP
24.2.3.4 ==> WAN
so i believe you have multiple public ips and you need the SA to know about these IP addresses. you will need to enter the other IPs under Networking; WAN; IP Alias. enter your ip addresses and appropriate subnet mask. once they are there, when you create the IPv4 rule you will have a dropdown menu at the bottom of the screen with all your assigned IPs. so when you create the SMTP rule you will select 24.2.3.3 on the WAN. that will allow all SMTP traffic attached to that public IP to be forwarded to Exchange.
are we heading in the right direction?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide