I have an SA520 that is configured with 3 NAT rules in firewall. These rules allow a local server to be exposed for 3 specific services. Everything else is disabled. There is no content filtering for example.
The problem: None of our users are able to use Windows Live Messenger or access certain sites such as www.hotmail.com.
I suspect the device is blocking URLs that redirect. I see that hotmail.com is redirected to a mail.live.com.
Thanks very much.
Since you are not using content filtering, the device won't block your URL automatically.
Can you verify whether this device can reach www.hotmail.com by using diagnostic ping
But I have another network going through the same T1 modem to the same ISP using a SnapGear firewall that has no problems at all.
Do you have a switch between SA500 and the T1 Modem?
Use a laptop to replace the SA500 in the same switch port,
and ping the URL from there. Then we can double confirm
whether the problem is inside SA500 or not.
The SA500 is directly connected to the T1 modem. I am not concerned so much about getting to hotmail. It is just symptomatic of the whole issue. Not being able to use IM is a problem however.
Instead of going to hotmail if I try to go to "login.live.com", there is no problem. What I am finding is any website that serves up some parts from URLs other than the main one entered in the browser seems to have a problem. Even Cisco.com takes for ever to load up.
We are not seeing this problem in our lab.
However, please try to uncheck "Block Fragmented Packets"
in Firewall->Attacks->ICSA settings to see whether it helps or not.
By the way what version of the firmware you are using now?
Are you using protectlink anyway? We saw similar issue with
protectlink during earlier times – some times,not all times
I am on version 1.1.42 and not using ProtectLink, IPS or VPN. My settings on the Attack tab are:
1. WAN Security Checks: All checked
2. LAN: Block UDP flood checked
3. ICSA: "Block ICMP Notification" checked, rest unchecked.
4. DoS: Values of 128, 15 and 100 (default values)
Do any changes to setting require a reboot?
I re-installed the latest version which resets the configuration to factory defaults. In this state I was able to get to hotmail.com. When I loaded my config, it stopped working again.
I then disabled the 3 firewall rules. Still, no dice. The only thing left now were the WAN and LAN configuration and one WAN IP Alias.
I modified the disabled rules to not use the WAN Alias and deleted the Alias. I am now able to get to any site without issues.
So, the culprit is the WAN IP Alias.
I think the problem should be on the firewall rules.
Would you like to share your firewall rules so that we might know
what's wrong with them
1. INSECURE WAN -> SECURE LAN -> FTP -> ALLOW always -> Source Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP Address: Dedicated WAN (Alias IP)
2. INSECURE WAN -> SECURE LAN -> Custom Service: 7777-7780 -> ALLOW always -> Source Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP Address: Dedicated WAN (Alias IP)
3. INSECURE WAN -> SECURE LAN -> Custom Service: 22222-22230 -> ALLOW always -> Source Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP Address: Dedicated WAN (Alias IP)
One question for the Alias IP: should its Netmask be the same as that of the primary WAN static address or something else.
I think you are trying to expose some services in the LAN to the outside world
If that is the case, instead of creating FW rules from "INSECURE WAN -> SECURE LAN"
you should create FW rules from "SECURE LAN ->INSECURE WAN"
Otherwise, you will block some traffic from the outside world to the LAN
I am confused.
According to the SA 500 Administration Guide, you need to set the From Zone to the source of the traffic. Since I am exposing a device behind my firewall to the outside world, isn't the source of the traffic coming from the Internet (WAN) and the To Zone as the recipient or the local server which would therefore be LAN?
Does the document have it backwards or am I not reading it right?