Hello, I'm working with a new SA520 appliance and may be running into a design limitation. We are replacing our RV042 with this device and are not able to configure one-to-one NAT's in order to publish various internal systems to the internet for mail delivery, ftp and rdp access. As I'm reading the documentation, it appears that the only place to publish servers to the public IP's is in the DMZ. It this true? In other words, is it not possible to publish private systems via NAT from the LAN zone?
Let me make sure I understand the request. Do you want the box to have Multiple WAN IP addresses that you can use?
WAN IP A is what I use for my HTTP Server
WAN IP B is what I use for my SMTP Server
Or, do you just want the appropriate ports forwarded to a box on your local subnet?
Yes, each device published outside uses an individual public IP nat'd to an internal private address. We have a .240 block of pubic static IP's.
Thanks for the help, Darren. I've set those rules several times, but they don't work. My concern here is what is written on page 67 of the same guide. It seems to say that only systems in the DMZ can be published to the outside.
The rule for WAN to LAN should be exactly like the rule listed below, with the only difference being "To Zone". Change "DMZ" to "Secure (LAN)"
Allowing Inbound Traffic to a Web Server Using a Specified Public IP
You host a public web server on your local DMZ network. You want to
allow inbound HTTP requests from any outside IP address. Your ISP has provided
a static IP address that you want to expose to the public as your web server
Solution: Create an inbound rule as follows:
From Zone Insecure(WAN1)
To Zone DMZ
Action ALLOW always
Source Hosts Any
Internal IP 220.127.116.11
External IP Other
Other IP 18.104.22.168 (Public IP address)
That is exactly what I have been doing, but it doesn't work. No traffic from the outside can access the system through the referenced public IP. Also, that same system retains the default wan address as it's outbound IP as shown when visiting 'whatismyip.com', not the correct public IP as defined in the rule.
Before we go any farther, can I get a confirmation that publishing from the WAN to LAN definately does work? Have you seen this work in a live installation?
Thanks again for your help.
I am having exactly the same issue. The instructions in the manual don's seem to work or be sufficient. Is there a solution available?
Joseph, I'm afraid it's not looking very good for us. If you start reading on page 67 "Configuring a DMZ" it's pretty clear that the DMZ is the only zone available for the publishing of public-facing devices. While this may work fine for a web server or a front-end email server, it is not at all useful for an SBS server or for allowing RDP access to local workstations. I guess, as a workaround, one could simply locate their entire network in the DMZ, but that is a silly handicap for a router which is supposed to be designed for small business.
I'm all ears if someone here knows something I'm missing. It would save me several wasted hours and paying the restocking fee when it goes back to my supplier.
did you set up a rule from lan secure to wan insecure dedicated optional wan as well, to allow traffic both ways?
i'm not sure it will help, but it's a guess.
i'm trying the same thing, but with ip's on different subnets. even worse and i think untenable at this stage. i'm beginning to wish i'd just gotten two asa's instead. i just wanted to give these a shot since they were inexpensive gige devices.
Seems that there is a bug with the One-to-One NAT on the SA5x0. Hopefully this will be fixed soon.
Thanks for the update, Steven. I'm going to wait for the final release before I apply it. I'm using an RV042 right now and can wait. I am hoping that this appliance performs as expected so we can push it across our customer base. We are running into more and more installations which require VLAN support, but the networks are too small to justify an ASA.
I have not played with this firewall firt hand personally. Is this a GUI based appliance ? Is the OS from the ASA product line or is this truly a step up from the linksys line?
Linksys type GUI with maybe a little more polish. I'm actually going to have to get a couple of 5505's to replace my 540's. they keep dropping the ipsec site to site vpn. i've got a case open and i'm using beta firmware, but i haven't tried the newly release 17 firmware. i'm on it now after i send logs. no telnet or ssh access. Ever. Period. Initial versions of the manual, and possibly current versions that allude to this are wrong.
I have posted this elsewhere, but wanted to make sure you became aware.
Version 1.0.17 firmware was released.
I appreciate you following up on this. My 520 is now working correctly after applying the firmware.
Thanks for everyone's help.