Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

natting inside network to dmz

We have a requirement that we monitor a non-routable network at a remote location. The FW is operational for all other functions I am adding the items listed be low 

Here is the config items on the FW 5505 with base license.

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.51.14.252 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Vlan401
 no forward interface Vlan1
 nameif RF
 security-level 50
 ip address 192.168.223.1 255.255.255.0

object-group network xxx
 description xxx networks
 network-object 10.49.0.0 255.255.0.0
 network-object 10.51.0.0 255.255.0.0

Current 

nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.51.14.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound_1 outside
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside

 

 

We are not permitted to route 192.168.223.0/24 network and we are not permitted to change the network so we need to nat 192.168.223.0 to the inside 10.51.14.0.

Are we on the right track to do this with the config below added to current config?

New Items

access-list inside_nat0_outbound extended permit ip object-group xxx 192.168.223.0 255.255.255.0

access-list rfaccess extended permit ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

 

global (RF) 2 interface

nat (inside) 2 access-list rfaccess

 

 

 

 

 

6 REPLIES
Cisco Employee

access-list inside_nat0

access-list inside_nat0_outbound extended deny ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group xxx 192.168.223.0 255.255.255.0

 

access-list rfaccess extended permit ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

 

global (RF) 2 interface

nat (inside) 2 access-list rfaccess

 

Thanks,

Prashant Joshi

New Member

PrashantThank you very much

Prashant

Thank you very much for responding.

My colleague was wondering if we will be able to add the 192.168.223.x addresses of the units being monitored to our network monitoring system as individual addresses?

We will be monitoring a total of 40 AP's and switches that have a 192.168.223.x address.

 

Or do we have to static address all of these addresses in order to add them to our network monitor?

 

Cisco Employee

with the given configuration

with the given configuration if 10.51.14.0/24 network needs to go for  192.168.223.0/24 destination, ASA will NAT the source with RF interface IP , which means 192.168.223.0/24 will always see the traffic originating source as RF interface IP.

 

Kindly let me know if this is your requirement or you need something else.

 

Thanks

Prashant Joshi

New Member

PrashantWe will need to

Prashant

We will need to monitor these devices at 192.168.223.0 from our home network which is 10.49.0.0. The remote network is 10.51.14 which we route over our MPLS but 192.168 is not routable.

We use Solarwinds NPM to monitor all other remote sites.

All 40 devices have a 192.168.223.x address. If I add 192.168.223.240 for example to NPM will this ASA config allow us to monitor that device and ping it from 10.49.x.x?

Or do I need to have a staic nat for all of these?

Cisco Employee

As per your configuration 192

As per your configuration 192.168.223.1 is configured on RF interface of the ASA,  I believe all 40 devices are behind this interface.

where is 10.49.x.x network and how it reachable via this ASA and and which ASA interface is connected  to MPLS link.

 

Prashant Joshi

New Member

PrashantThere are two

Prashant

There are two networks at this location; 10.51.14.0/24 which is routed via our MPLS and is behind the ASA.

And 192.168.223.0/24 which is standalone with no routing but we will set up intervlan routing within the site in the near future and it will also be behind that same ASA when we go live with this. It will not however be routed as I mentioned before because we are not allowed to route 192.168.x.x networks via the MPLS. So we were hopping to be able to do some kind of natting in order to manage and monitor it from 10.49.x.x.

 

The 10.49.x.x network is our HQ network from which we do all the monitoring of our world wide MPLS. It is behind an ASA as well.

I wanted to changed all 40 devices to a network that is routable but I am not permitted to do so. That would make this so much easier!

We really appreciate your help!

 

 

 

.

 

 

116
Views
0
Helpful
6
Replies
CreatePlease to create content