Jon C
asked on
Cisco SA540 Security Appliance Firewall Issues
Hi All
I am trying to configure a Cisco SA540 to enable certian ports to be opened and forwarded to different servers on the LAN
I have 15 static IPs on the WAN configured in the IP Alias Section
I have upgraded the Firmware to 2.1.51
I have set up the following rule:
From WAN To LAN
Service HTTP
Always Allow
Source Hosts Any
Destination IP: Internal IP Of Server On Our Network Which Accepts Connections On Port 80
External IP: Dedicated WAN IP From Aliases
The above is configured exactly as it says to do in the admin guide
I can access anything from LAN to WAN but nothing from WAN to LAN, I have tried different rules, pointing at different servers but none work
I have nothing in a DMZ
I am really stuck with this one, so any help is greatly appreciated
Thanks
Jon
I am trying to configure a Cisco SA540 to enable certian ports to be opened and forwarded to different servers on the LAN
I have 15 static IPs on the WAN configured in the IP Alias Section
I have upgraded the Firmware to 2.1.51
I have set up the following rule:
From WAN To LAN
Service HTTP
Always Allow
Source Hosts Any
Destination IP: Internal IP Of Server On Our Network Which Accepts Connections On Port 80
External IP: Dedicated WAN IP From Aliases
The above is configured exactly as it says to do in the admin guide
I can access anything from LAN to WAN but nothing from WAN to LAN, I have tried different rules, pointing at different servers but none work
I have nothing in a DMZ
I am really stuck with this one, so any help is greatly appreciated
Thanks
Jon
ASKER
Thanks for the reply
When I set up the Firewall rule, it asked at the bottom for the Destination NAT settings, which I configured on each Firewall rule I created, it asked the following:
Internal IP Address: IP Adress Of My Server On The LAN
Enable Port Forwarding: Didnt Use
Translate Port Number: Didnt Use
External IP Address: My WAN IP Address
But it still didnt work, on any of the rules
When I set up the Firewall rule, it asked at the bottom for the Destination NAT settings, which I configured on each Firewall rule I created, it asked the following:
Internal IP Address: IP Adress Of My Server On The LAN
Enable Port Forwarding: Didnt Use
Translate Port Number: Didnt Use
External IP Address: My WAN IP Address
But it still didnt work, on any of the rules
Do they provide you with a packet monitor or log, or debugging tool? Use that to follow the connection. You should see the request come in, I'm thinking maybe the external address you setup to be your WAN IP address might need to be ANY or the specific IP that the request is being sent from.
They make it a lot easier to determine if it's reaching the NAT rules or getting blocked at the Firewall. Let me know if you can see the connection trying to establish and come in.
They make it a lot easier to determine if it's reaching the NAT rules or getting blocked at the Firewall. Let me know if you can see the connection trying to establish and come in.
ASKER
Thanks for the reply
I got the logs working and have posted below:
xx used to replace part of IP address
The IP 90.221.xx.xx is my IP Address trying to access port 80 of a static IP of the firewall which IP is 213.40.xx.xx, but each one gets dropped, but there is a rule to let it through ??
Tue Aug 9 19:54:05 2011(GMT +0100) WARN FIREWALL 90.221.xxx.xx 213.40.xx.xx [firewall] LOG_PACKET[DROP] IN=WAN OUT=SELF SRC=90.221.xxx.xx DST=213.40.xx.xx PROTO=TCP SPT=49674 DPT=80
Component: KERNEL
Tue Aug 9 19:54:10 2011(GMT +0100) WARN FIREWALL 90.221.xx.xx 213.40.xx.xx [firewall] LOG_PACKET[DROP] IN=WAN OUT=SELF SRC=90.221.xx.xx DST=213.40.xx.xx PROTO=TCP SPT=49674 DPT=80
Component: KERNEL
I got the logs working and have posted below:
xx used to replace part of IP address
The IP 90.221.xx.xx is my IP Address trying to access port 80 of a static IP of the firewall which IP is 213.40.xx.xx, but each one gets dropped, but there is a rule to let it through ??
Tue Aug 9 19:54:05 2011(GMT +0100) WARN FIREWALL 90.221.xxx.xx 213.40.xx.xx [firewall] LOG_PACKET[DROP] IN=WAN OUT=SELF SRC=90.221.xxx.xx DST=213.40.xx.xx PROTO=TCP SPT=49674 DPT=80
Component: KERNEL
Tue Aug 9 19:54:10 2011(GMT +0100) WARN FIREWALL 90.221.xx.xx 213.40.xx.xx [firewall] LOG_PACKET[DROP] IN=WAN OUT=SELF SRC=90.221.xx.xx DST=213.40.xx.xx PROTO=TCP SPT=49674 DPT=80
Component: KERNEL
Ok, so that means it's getting blocked at the firewall level even before the NAT rules are applied.
Provided all the settings are correctly configured, you may want to check on what port you can manage the appliance remotely. I'm wondering if that is set to port 80 on wan and turned off for security reasons possibly this rule is higher on the priority list than yours?
Otherwise you just have the connecting coming in through WAN, and you have the other port setup as a LAN is this a switch that the server is on or directly connected to?
You said fw config was:
From WAN To LAN
Service HTTP
Always Allow
Source Hosts Any
Destination IP: < change this to ANY for now if it lets you >
External IP: Dedicated WAN IP From Aliases
Provided all the settings are correctly configured, you may want to check on what port you can manage the appliance remotely. I'm wondering if that is set to port 80 on wan and turned off for security reasons possibly this rule is higher on the priority list than yours?
Otherwise you just have the connecting coming in through WAN, and you have the other port setup as a LAN is this a switch that the server is on or directly connected to?
You said fw config was:
From WAN To LAN
Service HTTP
Always Allow
Source Hosts Any
Destination IP: < change this to ANY for now if it lets you >
External IP: Dedicated WAN IP From Aliases
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solution found by testing all the settings on the network
My guess is you need to create a NAT rule that says any traffic coming from port 80 needs to get redirected to Server_IP.
You can set that up similar to the Firewall Rule you created to open the port up.