Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SA520 firewall rules.

Hello, I'm working with a new SA520 appliance and may be running into a design limitation.  We are replacing our RV042 with this device and are not able to configure one-to-one NAT's in order to publish various internal systems to the internet for mail delivery, ftp and rdp access.  As I'm reading the documentation, it appears that the only place to publish servers to the public IP's is in the DMZ.  It this true?  In other words, is it not possible to publish private systems via NAT from the LAN zone?

Thanks,

Steve

Everyone's tags (3)
17 REPLIES

Re: SA520 firewall rules.

Let me make sure I understand the request.  Do you want the box to have Multiple WAN IP addresses that you can use?

WAN IP A is what I use for my HTTP Server

WAN IP B is what I use for my SMTP Server

etc

Or, do you just want the appropriate ports forwarded to a box on your local subnet?

New Member

Re: SA520 firewall rules.

Yes, each device published outside uses an individual public IP nat'd to an internal private address.  We have a .240 block of pubic static IP's.

New Member

Re: SA520 firewall rules.

The instructions for setting up one-to-one NAT is shown in the Adminstrators Guide attached to this post on page 121.  "Configuring a Firewall Rule for Inbound Traffic"

Thank you,

Darren

New Member

Re: SA520 firewall rules.

Thanks for the help, Darren.  I've set those rules several times, but they don't work.  My concern here is what is written on page 67 of the same guide.  It seems to say that only systems in the DMZ can be published to the outside.

New Member

Re: SA520 firewall rules.

The rule for WAN to LAN should be exactly like the rule listed below, with the only difference being "To Zone".  Change "DMZ" to "Secure (LAN)"

Allowing Inbound Traffic to a Web Server Using a Specified Public IP

Address

Situation:





You host a public web server on your local DMZ network. You want to

allow inbound HTTP requests from any outside IP address. Your ISP has provided

a static IP address that you want to expose to the public as your web server

address.



Solution: Create an inbound rule as follows:

Parameter               Value



From Zone                 Insecure(WAN1)

To Zone                     DMZ

Service                      HTTP

Action                       ALLOW always

Source Hosts            Any

Internal IP                 192.167.5.2

External IP                Other

Other IP                    209.165.201.225 (Public IP address)

New Member

Re: SA520 firewall rules.

That is exactly what I have been doing, but it doesn't work.  No traffic from the outside can access the system through the referenced public IP.  Also, that same system retains the default wan address as it's outbound IP as shown when visiting 'whatismyip.com', not the correct public IP as defined in the rule.

Before we go any farther, can I get a confirmation that publishing from the WAN to LAN definately does work?  Have you seen this work in a live installation?

Thanks again for your help.

New Member

Re: SA520 firewall rules.

I am having exactly the same issue.  The instructions in the manual don's seem to work or be sufficient.  Is there a solution available?

New Member

Re: SA520 firewall rules.

Joseph, I'm afraid it's not looking very good for us.  If you start reading on page 67 "Configuring a DMZ" it's pretty clear that the DMZ is the only zone available for the publishing of public-facing devices.  While this may work fine for a web server or a front-end email server, it is not at all useful for an SBS server or for allowing RDP access to local workstations.  I guess, as a workaround, one could simply locate their entire network in the DMZ, but that is a silly handicap for a router which is supposed to be designed for small business.

I'm all ears if someone here knows something I'm missing.  It would save me several wasted hours and paying the restocking fee when it goes back to my supplier.

New Member

Re: SA520 firewall rules.

did you set up a rule from lan secure to wan insecure dedicated optional wan as well, to allow traffic both ways?

i'm not sure it will help, but it's a guess.

i'm trying the same thing, but with ip's on different subnets.  even worse and i think untenable at this stage.  i'm beginning to wish i'd just gotten two asa's instead.  i just wanted to give these a shot since they were inexpensive gige devices.

New Member

Re: SA520 firewall rules.

Seems that there is a bug with the One-to-One NAT on the SA5x0.  Hopefully this will be fixed soon.

Reference: https://www.myciscocommunity.com/message/21729#21729

Thank you,

Darren

New Member

Re: SA520 firewall rules.

Thanks Darren, that is what I was hoping to hear.  I appreciate you following up on this.

Best Wishes,

Steve

Re: SA520 firewall rules.

There is a beta firmware fix for the NAT problem available now.  Please open a case and the TAC can get it for you.

New Member

Re: SA520 firewall rules.

Thanks for the update, Steven.  I'm going to wait for the final release before I apply it.  I'm using an RV042 right now and can wait.  I am hoping that this appliance performs as expected so we can push it across our customer base.  We are running into more and more installations which require VLAN support, but the networks are too small to justify an ASA.

Best Wishes,

Steve

New Member

Re: SA520 firewall rules.

I have posted this elsewhere, but wanted to make sure you became aware.

Version 1.0.17 firmware was released.

New Member

Re: SA520 firewall rules.

I have not played with this firewall firt hand personally. Is this a GUI based appliance ? Is the OS from the ASA product line or is this truly a step up from the linksys line?

Thanks

Jim

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
New Member

Re: SA520 firewall rules.

Linksys type GUI with maybe a little more polish.  I'm actually going to have to get a couple of 5505's to replace my 540's.  they keep dropping the ipsec site to site vpn.  i've got a case open and i'm using beta firmware, but i haven't tried the newly release 17 firmware.  i'm on it now after i send logs.  no telnet or ssh access.  Ever.  Period.  Initial versions of the manual, and possibly current versions that allude to this are wrong.

New Member

Re: SA520 firewall rules.

jamccord wrote:

I have posted this elsewhere, but wanted to make sure you became aware.

Version 1.0.17 firmware was released.

I appreciate you following up on this.  My 520 is now working correctly after applying the firmware.

Thanks for everyone's help.

Steve

7558
Views
0
Helpful
17
Replies
CreatePlease login to create content