https://community.cisco.com/t5/network-security/snmp-aaa-access-to-an-external-switch/m-p/3187602#M1065918 <P>Ableton,</P><P>&nbsp;</P><P>It sounds like you want to use in-band management for the external switch and are using NAT on your firewall. For most NAT configurations, no special configuration is needed for communications originating from the inside of your network. Therefore, SSH and SNMP polling initiated from the inside of your network will be allowed out to the switch (firewall permitting) and the return traffic for the&nbsp;matching flow will be allowed back inside based on the NAT table entries established by the outbound connection. As this switch is external to your firewall but has remote administration enabled, be sure to block those protocols on all but the expected interfaces&nbsp;using an ACL. Moving on, the communications originating from the switch destined for the inside of the network will not have a NAT entry so will be dropped. To resolve this you will need to create a static port mapping. On a Cisco router you would type something like 'ip nat inside source static tcp 10.0.0.10 49&nbsp;132.16.0.1 49 extendable' to enable authentication&nbsp;using the&nbsp;TACACS+ protocol (where <SPAN>10.0.0.</SPAN><SPAN>10:</SPAN><SPAN>49 is your server's IP:port and&nbsp;132.16.0.1:49 is&nbsp;the IP:port you want&nbsp;the&nbsp;server to be accessible from on the outside</SPAN>). You can also change the external port from the default of 49 to something else in order to obfuscate the external communications or ensure that port is open for later use. You do this when defining the TACACS server in the switch configuration. For older IOSs, the syntax was 'tacacs-server host [IP Address] port [port #] key [shared secret]', but I believe it is nested in sub-configurations now.</P> Thu, 21 Sep 2017 18:06:33 GMT Rich Uline 2017-09-21T18:06:33Z https://community.cisco.com/t5/network-security/snmp-aaa-access-to-an-external-switch/m-p/3187365#M1065917 <P>Hi all,</P><P>&nbsp;</P><P>We have an external switch which links our core firewalls to a private network in the internet.</P><P>This switch is not currently able to be managed from our internal network via SNMP or with ACS/AAA Tacacs etc.</P><P>I want to know the best way of securely being able to manage it remotely and monitor it on our monitoring platform.</P><P>The link between the core firewalls and the Cisco switch is a basic trunk link at the moment.</P><P>Would I use NAT/PAT, place an external address on the switch on an interface then NAT to it from the core FW's?</P><P>What other rules would I need etc?</P><P>thanks</P> Fri, 21 Feb 2020 14:20:28 GMT https://community.cisco.com/t5/network-security/snmp-aaa-access-to-an-external-switch/m-p/3187365#M1065917 Ableton34 2020-02-21T14:20:28Z https://community.cisco.com/t5/network-security/snmp-aaa-access-to-an-external-switch/m-p/3187602#M1065918 <P>Ableton,</P><P>&nbsp;</P><P>It sounds like you want to use in-band management for the external switch and are using NAT on your firewall. For most NAT configurations, no special configuration is needed for communications originating from the inside of your network. Therefore, SSH and SNMP polling initiated from the inside of your network will be allowed out to the switch (firewall permitting) and the return traffic for the&nbsp;matching flow will be allowed back inside based on the NAT table entries established by the outbound connection. As this switch is external to your firewall but has remote administration enabled, be sure to block those protocols on all but the expected interfaces&nbsp;using an ACL. Moving on, the communications originating from the switch destined for the inside of the network will not have a NAT entry so will be dropped. To resolve this you will need to create a static port mapping. On a Cisco router you would type something like 'ip nat inside source static tcp 10.0.0.10 49&nbsp;132.16.0.1 49 extendable' to enable authentication&nbsp;using the&nbsp;TACACS+ protocol (where <SPAN>10.0.0.</SPAN><SPAN>10:</SPAN><SPAN>49 is your server's IP:port and&nbsp;132.16.0.1:49 is&nbsp;the IP:port you want&nbsp;the&nbsp;server to be accessible from on the outside</SPAN>). You can also change the external port from the default of 49 to something else in order to obfuscate the external communications or ensure that port is open for later use. You do this when defining the TACACS server in the switch configuration. For older IOSs, the syntax was 'tacacs-server host [IP Address] port [port #] key [shared secret]', but I believe it is nested in sub-configurations now.</P> Thu, 21 Sep 2017 18:06:33 GMT https://community.cisco.com/t5/network-security/snmp-aaa-access-to-an-external-switch/m-p/3187602#M1065918 Rich Uline 2017-09-21T18:06:33Z