Cisco SA540 Security Appliance Firewall Issues

Jon C
Jon C used Ask the Experts™
on
Hi All

I am trying to configure a Cisco SA540 to enable certian ports to be opened and forwarded to different servers on the LAN

I have 15 static IPs on the WAN configured in the IP Alias Section

I have upgraded the Firmware to 2.1.51

I have set up the following rule:

From WAN To LAN
Service HTTP
Always Allow
Source Hosts Any
Destination IP: Internal IP Of Server On Our Network Which Accepts Connections On Port 80
External IP: Dedicated WAN IP From Aliases

The above is configured exactly as it says to do in the admin guide

I can access anything from LAN to WAN but nothing from WAN to LAN, I have tried different rules, pointing at different servers but none work
I have nothing in a DMZ

I am really stuck with this one, so any help is greatly appreciated

Thanks

Jon
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You might have to setup some NAT rules depending on where your server is located on the LAN.
My guess is you need to create a NAT rule that says any traffic coming from port 80 needs to get redirected to Server_IP.  

You can set that up similar to the Firewall Rule you created to open the port up.  

Author

Commented:
Thanks for the reply

When I set up the Firewall rule, it asked at the bottom for the Destination NAT settings, which I configured on each Firewall rule I created, it asked the following:

Internal IP Address:    IP Adress Of My Server On The LAN
Enable Port Forwarding:      Didnt Use
Translate Port Number:        Didnt Use
External IP Address:       My WAN IP Address

But it still didnt work, on any of the rules
Do they provide you with a packet monitor or log, or debugging tool?  Use that to follow the connection.  You should see the request come in, I'm thinking maybe the external address you setup to be your WAN IP address might need to be ANY or the specific IP that the request is being sent from.

They make it a lot easier to determine if it's reaching the NAT rules or getting blocked at the Firewall.  Let me know if you can see the connection trying to establish and come in.

Author

Commented:
Thanks for the reply

I got the logs working and have posted below:

xx used to replace part of IP address

The IP 90.221.xx.xx is my IP Address trying to access port 80 of a static IP of the firewall which IP is 213.40.xx.xx, but each one gets dropped, but there is a rule to let it through ??

Tue Aug 9 19:54:05 2011(GMT +0100) WARN FIREWALL 90.221.xxx.xx 213.40.xx.xx [firewall] LOG_PACKET[DROP] IN=WAN OUT=SELF SRC=90.221.xxx.xx DST=213.40.xx.xx PROTO=TCP SPT=49674 DPT=80
Component: KERNEL
Tue Aug 9 19:54:10 2011(GMT +0100) WARN FIREWALL 90.221.xx.xx 213.40.xx.xx [firewall] LOG_PACKET[DROP] IN=WAN OUT=SELF SRC=90.221.xx.xx DST=213.40.xx.xx PROTO=TCP SPT=49674 DPT=80
Component: KERNEL
Ok, so that means it's getting blocked at the firewall level even before the NAT rules are applied.

Provided all the settings are correctly configured, you may want to check on what port you can manage the appliance remotely.  I'm wondering if that is set to port 80 on wan and turned off for security reasons possibly this rule is higher on the priority list than yours?

Otherwise you just have the connecting coming in through WAN, and you have the other port setup as a LAN is this a switch that the server is on or directly connected to?

You said fw config was:
From WAN To LAN
Service HTTP
Always Allow
Source Hosts Any
Destination IP: < change this to ANY for now if it lets you >
External IP: Dedicated WAN IP From Aliases
Commented:
Hi

Thanks for the reply again

After much messing about and testing, I found that because I had two gateways on the network, one being the SA540 and one being a Sonicwall TZ190, all the servers and PCs were set to use the TZ190 as the gateway, in the IP config on each machine.

Therefore, any rules in the SA540 didnt work, becasue all the machines werent set to use this as the gateway, as soon as i changed a machine to use the SA540 as the gateway, the rules worked.

Thanks

Jon

Author

Commented:
Solution found by testing all the settings on the network

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial