topic with the given configuration in Network Security

natting inside network to dmz

john.wright — Tue, 12 Mar 2019 05:02:28 GMT

We have a requirement that we monitor a non-routable network at a remote location. The FW is operational for all other functions I am adding the items listed be low

Here is the config items on the FW 5505 with base license.

interface Vlan1
nameif inside
security-level 100
ip address 10.51.14.252 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan401
no forward interface Vlan1
nameif RF
security-level 50
ip address 192.168.223.1 255.255.255.0

object-group network xxx
description xxx networks
network-object 10.49.0.0 255.255.0.0
network-object 10.51.0.0 255.255.0.0

Current

nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.51.14.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound_1 outside
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside

We are not permitted to route 192.168.223.0/24 network and we are not permitted to change the network so we need to nat 192.168.223.0 to the inside 10.51.14.0.

Are we on the right track to do this with the config below added to current config?

New Items

access-list inside_nat0_outbound extended permit ip object-group xxx 192.168.223.0 255.255.255.0

access-list rfaccess extended permit ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

global (RF) 2 interface

nat (inside) 2 access-list rfaccess

access-list inside_nat0

Prashant Joshi — Thu, 06 Nov 2014 17:32:03 GMT

access-list inside_nat0_outbound extended deny ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group xxx 192.168.223.0 255.255.255.0

access-list rfaccess extended permit ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

global (RF) 2 interface

nat (inside) 2 access-list rfaccess

Thanks,

Prashant Joshi

PrashantThank you very much

john.wright — Thu, 06 Nov 2014 18:20:59 GMT

Prashant

Thank you very much for responding.

My colleague was wondering if we will be able to add the 192.168.223.x addresses of the units being monitored to our network monitoring system as individual addresses?

We will be monitoring a total of 40 AP's and switches that have a 192.168.223.x address.

Or do we have to static address all of these addresses in order to add them to our network monitor?

with the given configuration

Prashant Joshi — Thu, 06 Nov 2014 23:49:35 GMT

with the given configuration if 10.51.14.0/24 network needs to go for 192.168.223.0/24 destination, ASA will NAT the source with RF interface IP , which means 192.168.223.0/24 will always see the traffic originating source as RF interface IP.

Kindly let me know if this is your requirement or you need something else.

Thanks

Prashant Joshi

PrashantWe will need to

john.wright — Fri, 07 Nov 2014 14:06:31 GMT

Prashant

We will need to monitor these devices at 192.168.223.0 from our home network which is 10.49.0.0. The remote network is 10.51.14 which we route over our MPLS but 192.168 is not routable.

We use Solarwinds NPM to monitor all other remote sites.

All 40 devices have a 192.168.223.x address. If I add 192.168.223.240 for example to NPM will this ASA config allow us to monitor that device and ping it from 10.49.x.x?

Or do I need to have a staic nat for all of these?

As per your configuration 192

Prashant Joshi — Sun, 09 Nov 2014 06:14:57 GMT

As per your configuration 192.168.223.1 is configured on RF interface of the ASA, I believe all 40 devices are behind this interface.

where is 10.49.x.x network and how it reachable via this ASA and and which ASA interface is connected to MPLS link.

Prashant Joshi

PrashantThere are two

john.wright — Mon, 10 Nov 2014 13:26:03 GMT

Prashant

There are two networks at this location; 10.51.14.0/24 which is routed via our MPLS and is behind the ASA.

And 192.168.223.0/24 which is standalone with no routing but we will set up intervlan routing within the site in the near future and it will also be behind that same ASA when we go live with this. It will not however be routed as I mentioned before because we are not allowed to route 192.168.x.x networks via the MPLS. So we were hopping to be able to do some kind of natting in order to manage and monitor it from 10.49.x.x.

The 10.49.x.x network is our HQ network from which we do all the monitoring of our world wide MPLS. It is behind an ASA as well.

I wanted to changed all 40 devices to a network that is routable but I am not permitted to do so. That would make this so much easier!

We really appreciate your help!