Do we have a fix for this yet
Now that the DMZ port doesn't seem to work, I have placed our Web and CRM server on a VLAN. I have created a firewall forwarding rule -> WAN to LAN HTTP allow always and pointed it to the internal IP address.
When I type in our domain name in the browser I only get the Cisco remote management page, no forwarding to the web server.
What am I doing wrong?
I have tried to disable the remote management, but that still doesn't change anything. (btw, how do I change which port the RMON uses, it's grayed out in the setup page)
SA 540 firmware 1.0.39
You can't currently change the RMON port. The port forwarding should work, but is your session changing to HTTPS?
Note: taking off RMON will break your SSL VPN's.
Yes, my session is changing to HTTPS and sending me to my Cisco portal and not my web server. Any suggestions?
I know that changing the RMON will break my SSL VPN, I just had to try to se if it changed anything.
Could you post some screen shots of the FW rules you have setup? If you don't want to show them here, please PM them to me.
SA-540 1.015 (downgrade the 1.039 firmware, it break static route...)
i have the same problem.
You try to to get your web server with its fqdn ? like me....
and you get the Cisco remote management page ! like me...
try with its fixed ip (internal) and its works.
i am very confuse with the SA540, no telnet, no ios access ?
for other products a simple 'ip nat loopback on ' and you can hit your server in lan with the fqdn.
with the Remote management no way for put a rules to make this works.
i am very very disappointed with this SA-540 SMB
So any solutions ?
Confirming the 1.0.39 breaking Static Routes. It doesnt allow subnets to be added, only individual hosts. I reported to the BU last night as well.....
We do have a bug written against the hairpinning problem. It should be fixed soon, but I don't have the exact date.
hhwesterg, are you doing hairpinning as well? Does this work from outside your device?
No it does not work from outside my devise, I just get to the RMON page, no forwarding to my Web server at all. I've taken all FW rules away and just have the WAN to LAN allow HTTP "ip address of server" but still nothing.
I got confirmation that the DMZ/Optional port does not work, I can't SSL from our Apple computers to our Network, and now it seems like we can't get our Web or e-mail servers working either if there is not port forwarding. On top of this, it now also seems like the SA 540 is blocking EDNS packets, slowing down our DNS server. Please tell me that there is something to be done, it can't be that Cisco have put a "Pro" devise out where only 9 out of 10 ports work and that you can not host Web, email or CRM servers because there is no port forwarding, not to mention it only supports IE browsers for SSL.
I don't mean to sound cranky, but we have spend so much time trying to get this devise to work, please help. (I wish I could give you some logs, but logging doesn't seem to work either)
...fixed soon : any date ? ;)
try, if you can, modify your internal dns server.
create a A record for your web server, crm... (internal ip)
this is what i am doing....
no class, no secure, but working while the bug was closed.
Thanks for your reply, I appreciate it, it's 1am and I'm getting a little tired and cranky working on this thing (it's cisco, it should work) so I probably shouldn't be posting now. Anyhow.
I'm not sure if I understood you right.
Did you have the same problem with your DNS server behind the SA 500?
And, you found a work around by adding A records for your other servers?
Sitting on the DNS server I get this, so I'm not sure how adding A records for the other servers would help, I'll give it at try though, getting desperate here.
Hi hhwesterg :)
I have the same problem like you:
2 web server and 2 mail servers inside my lan (and subnet...)
rules for forwarding Wlan -> Lan works ONLY from outside my lan
from inside if i use the fqdn of the web servers or mail servers, i'll get the mangement console of the sa-540 !
i don't use the 2nd wan port in dmz but in wlan2
so, as the sa-540 in not be able to handle a connexion from inside lan to wlan with the real name (www.xxx.com, mail.xxx.com) i must use a record from my dns server.
a type A for associate an IP to a name
i repeat, this is not cool and not clean....
i'm looking my old Zyxell P600 router and i cry....
this 'poor' router is able to do what a Cisco SA-540 can't do, at no comparable price
the next time, i don't know if my company will buy Cisco...
not fot me !
Is this problem resolved yet? This is a huge problem for me. There was a new firmware just released for the sa520 but I did not see anything in it about hair pinning. Please give us some status. This issue has been going on for too long. Cisco is too big of a network company to let such a big problem go on for so long.
Do we have a fix for this yet
Yes, NAT hairpining issue is fixed in the RC1 build. Please see below message on how to obtain the image.
A Release Candidate (RC1) build for the SA 500 is now available for Cisco customers and partners to evaluate.
If you are an interested customer/partner, you can obtain an early build of the firmware by sending an
email to: firstname.lastname@example.org with your Cisco.com User ID in the subject line of the email. You will
then receive an email notification with instructions on how to download the firmware.
Like I said, I shouldn't be posting at this hour, I thought you replied to one of my other postings (DNS Server problems), I'll better try your suggestion tomorrow.
Thanks for your call today, forwarding to our VLAN is working as it should. Though for some reason I can't check that even when I'm on a VPN to an other network in Europe (which have no connection to our local network here).
I'm having the previously mentioned issues.
SA520 - Firmeware 1.1.65
MAC pcs unable to connect to internal NAT loopback / NAT Hairping for internal web server.
MAC's connect with Outlook to Exchange using RPC over HTTPS and the redirect fails
Firewall rules image attached - WAN to LAN from any source forwards HTTPS traffic to destination address of internal server
The boxes eventualy time out
My current solution is to add a host entry for the A record