I recently installed a SA540 in front of my UC520. The SA540 is handling the internet facing traffic. The SA is using two interfaces WAN (public IP) and LAN (192.168.75.0/24)
I was able to get the UC520 working and clients are able to connect through to the internet, etc. Clients on the UC are either data (192.168.10.0/24) or voice 10.x.x.x
One of the reasons I choose to install an SA540 was for the firewall rules. When I create a rule I can enter an IP from the UC range but the SA540 does not seem to apply the rules to the traffic. The firewall rule creation only allows FROM: SECURE LAN to WAN or the other way around.
I am assuming the traffic is not being seen properly as the SA540 facing interface from the UC has a 192.168.75.10 address. If I setup a rule to block the MAC on this interface it blocks all traffic.
My question is how do I add the 192.168.10.0 range into the SA54's secure LAN zone so that traffic is affected by rules I create.
Can you give some more information about what you are trying to do with the rules? Is NAT enabled on the UC500? Is the FW enabled on the UC500?
They should both be disabled and static routing to the UC for the voice and data subnets should be there.
What version of the SA540 are you running?
I am trying to create scheduled based internet access rules based on source IP and or MAC address.
FW disabled on UC
Nat disabled on UC
static IP assigned to UC WAN interface (192.168.75.10) - that IP is part of the SA540 LAN range (192.168.75.0)
Latest version of SA540 firmware 1.0.39
The SA540 interface for creating rules seems very straight forward. I created a schedule and then created a rule based on that schedule. I also just tried BLOCK without using schedule but any users on the UC LAN range (192.168.10.0) do not seem to be affected by the rules I create on the SA540 even though I specifically define their IP. I also tried MAC filtering but that only works if I filter the MAC address of the UC which effectively blocks everyone on the UC side.
I do have static routes defined on the SA to LAN IP addresses on the UC. Without doing that traffic would not flow. I would prefer to define the network instead of the individual IP addresses but I do not see how that can be done.
Yes that would be pretty close. I am looking to block all internet traffic from specific IP addresses in that range based on a time schedule. A basic test could be block port 80 from 192.168.10.x
SA500 broke static routing to subnets in 1.0.39.
It used to work in 1.0.17 when I wrote this....
Just FYI to save you some str fixed in next FW for SA 500 I am told.uggle.... This is reported and will e
Used this to assit in gettnig my UC moved behind an SA and it worked well.
Only one issue, the UC is sending in the SIP invite an URI using the WAN IP of the UC, which is now 192.168.75.2. I need the URI to have the WAN IP of the SA.
Is there a way to change this?
Yes the SIP ALG is on, and we ran a packet sniffer on the outside of the SA and the SIP traffic is being sent upstream. But the are using the IP address and the URI as authentication so the URI needs to be the Public IP address not the IP address of the UC.
I am able to successfully block this. Make sure that you are using source address on your FW rules. Make sure NAT is disabled on the UC. Also, if you are using a schedule, make sure you have selected NTP servers that work for you and that you have selected the correct timezone.
I checked NTP and time zone is correct. I am using source address and NAT is disabled on the UC. Does the SA540 need to be rebooted for rule changes to take effect?
I'm using CCA for all of this and NAT shows disabled there. I checked my config using CLI and I do not see any NONAT statements anywhere.
My question around reboot was in reference to the firewall rule changes on the SA540.
Attached is a screenshot of a rule.
There is a new firmware posted that has solved my originally posted issue. I can use firewall rules effectively. It was posted Jan 12, 2010. Version 1.1.21
I am not sure if this will fix the URI problem that you are having. I have forwarded this info to development and will see what they come back with.
I have confirmed with developers that this upgrade did do a factory reset. I have also confirmed that this is the last upgrade that will have a factory reset.