Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
0
Helpful
6
Replies

natting inside network to dmz

john.wright
Level 3
Level 3

‎11-06-2014 08:32 AM - edited ‎03-11-2019 10:02 PM

We have a requirement that we monitor a non-routable network at a remote location. The FW is operational for all other functions I am adding the items listed be low 

Here is the config items on the FW 5505 with base license.

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.51.14.252 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Vlan401
 no forward interface Vlan1
 nameif RF
 security-level 50
 ip address 192.168.223.1 255.255.255.0

object-group network xxx
 description xxx networks
 network-object 10.49.0.0 255.255.0.0
 network-object 10.51.0.0 255.255.0.0

Current 

nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.51.14.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound_1 outside
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside

 

 

We are not permitted to route 192.168.223.0/24 network and we are not permitted to change the network so we need to nat 192.168.223.0 to the inside 10.51.14.0.

Are we on the right track to do this with the config below added to current config?

New Items

access-list inside_nat0_outbound extended permit ip object-group xxx 192.168.223.0 255.255.255.0

access-list rfaccess extended permit ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

 

global (RF) 2 interface

nat (inside) 2 access-list rfaccess

 

 

 

 

 

Labels:
0 Helpful
6 Replies 6

Prashant Joshi
Cisco Employee
Cisco Employee

‎11-06-2014 09:32 AM

access-list inside_nat0_outbound extended deny ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group xxx 192.168.223.0 255.255.255.0

 

access-list rfaccess extended permit ip 10.51.14.0 255.255.255.0 192.168.223.0 255.255.255.0

 

global (RF) 2 interface

nat (inside) 2 access-list rfaccess

 

Thanks,

Prashant Joshi

0 Helpful

john.wright
Level 3
Level 3
In response to Prashant Joshi

‎11-06-2014 10:20 AM

Prashant

Thank you very much for responding.

My colleague was wondering if we will be able to add the 192.168.223.x addresses of the units being monitored to our network monitoring system as individual addresses?

We will be monitoring a total of 40 AP's and switches that have a 192.168.223.x address.

 

Or do we have to static address all of these addresses in order to add them to our network monitor?

 

0 Helpful

Prashant Joshi
Cisco Employee
Cisco Employee
In response to john.wright

‎11-06-2014 03:49 PM

with the given configuration if 10.51.14.0/24 network needs to go for  192.168.223.0/24 destination, ASA will NAT the source with RF interface IP , which means 192.168.223.0/24 will always see the traffic originating source as RF interface IP.

 

Kindly let me know if this is your requirement or you need something else.

 

Thanks

Prashant Joshi

0 Helpful

john.wright
Level 3
Level 3
In response to Prashant Joshi

‎11-07-2014 06:06 AM

Prashant

We will need to monitor these devices at 192.168.223.0 from our home network which is 10.49.0.0. The remote network is 10.51.14 which we route over our MPLS but 192.168 is not routable.

We use Solarwinds NPM to monitor all other remote sites.

All 40 devices have a 192.168.223.x address. If I add 192.168.223.240 for example to NPM will this ASA config allow us to monitor that device and ping it from 10.49.x.x?

Or do I need to have a staic nat for all of these?

0 Helpful

Prashant Joshi
Cisco Employee
Cisco Employee
In response to john.wright

‎11-08-2014 10:14 PM

As per your configuration 192.168.223.1 is configured on RF interface of the ASA,  I believe all 40 devices are behind this interface.

where is 10.49.x.x network and how it reachable via this ASA and and which ASA interface is connected  to MPLS link.

 

Prashant Joshi

0 Helpful

john.wright
Level 3
Level 3
In response to Prashant Joshi

‎11-10-2014 05:26 AM

Prashant

There are two networks at this location; 10.51.14.0/24 which is routed via our MPLS and is behind the ASA.

And 192.168.223.0/24 which is standalone with no routing but we will set up intervlan routing within the site in the near future and it will also be behind that same ASA when we go live with this. It will not however be routed as I mentioned before because we are not allowed to route 192.168.x.x networks via the MPLS. So we were hopping to be able to do some kind of natting in order to manage and monitor it from 10.49.x.x.

 

The 10.49.x.x network is our HQ network from which we do all the monitoring of our world wide MPLS. It is behind an ASA as well.

I wanted to changed all 40 devices to a network that is routable but I am not permitted to do so. That would make this so much easier!

We really appreciate your help!

 

 

 

.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card