Re: STATIC WAN IP to LAN Allocation - Page 2

TheGoob · ‎12-13-2023

Hello

Currently I have 5 (Usable) Static IP’s. The Cisco FPR1010 Has x.x.x.182 as it’s WAN IP and then Subnet 192.168.5.0 uses it for its Internet. I have my 4 other IP’s directed Via NAT I.E x.x.x.177 - x.x.x.181 to 192.168.5.177 - 192.168.5.181 but this allocates only 1 LAN to use it.

To better utilize my WAN IP’s for various devices, can I assign (in the Cisco) an Interface (Like GE 1/2 and so on) to have it’s own wan (I mean, the FPR itself does) and then create network like 192.168.2.0 for it, so I can plug in GE1/2 (assigned x.x.x.181) and then the Switch plugged in can use a 192.168.2.0 Address?

Or, if what I am saying is confusing, can I assign a static wan IP to an Interface then plug a switch in for a subnet/network (not the FPR1010 Itself).

MHM Cisco World · ‎12-15-2023

If you use NAT then you can use trunk and NAT each subnet to specify public IP

MHM

TheGoob · ‎12-15-2023

I just need to find out if the FPR1010 supports TRUNK.

MHM Cisco World · ‎12-15-2023

Yes it support

If you use fdm then check this guide

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html

MHM

TheGoob · ‎12-15-2023

Am I misunderstanding this, I read it as FPR1010 can not do Trunk…. “

Firepower 1010—Subinterfaces are not supported on switch ports or VLAN interfaces.”
Under :

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html#task_4FA3FC2F83774196A854661C2C85D434

MHM Cisco World · ‎12-17-2023

Hi friend

Subinterface can not config when you config interface as switch port or trunk

You need to config vlan svi

MHM

TheGoob · ‎12-17-2023

Hey friends!

Update, before I commit to this, would you be able to generally approve or refute my proposal on configuration.

I wanted to be sure, so from scratch [and these are specific but general rules]

created 2 objects, nas_lan (network (192.168.1.0)) and nas_wan (static ip) x.x.x.180
created nat rule, outside nas_wan (.180) to nas_lan (network 192.168.1.0) [I did this as MANUAL NAT "Before" Auto Rules [[nat (nas_inside,outside) source static nas_lan nas_wan]] ???
created vlan2, assigned it 192.168.1.1
created a dhcp server (192.168.1.2 - 192.168.1.254) and assigned it to vlan2
assigned Ethernet 1/3 to vlan2. Currently Switchport.
created an acl "trust" 'nas_lan any any nas_wan any any' and I assume that will allow nas_lan access to the outside world.

Before I get to the next step, will above allow me to connect any device into 1/3 and it will grab an IP of vlan2's pool and then have a WAN/Internet address of x.x.x.180, and not of the FPR's default [vlan1] x.x.x.182?

MHM Cisco World · ‎12-17-2023

FPR use .182

And .180 is one of public IP you get from ISP

So you vlan2 (192.168.1.x) will use WAN IP .180 to access internet AFTER NATing.

MHM

TheGoob · ‎12-18-2023

Roger that, thank you.
I am planning on doing this for the remaining 4 WAN IP’s and create 5 more vlan’s and networks.

I am curious, will each of these vlans / networks be able to communicate with each other by default ; inner-vlan/inter-vlan or will there need to be a set of rules now for even the LAN Networks I.e 192.168.3.7 to talk to 192.168.4.66? All of these devices will be connected to a L2 Switch which will be connected to the FPR so routing would be done on FPR. I understand WAN in will obviously need ACL’s etc, but really, for now, just want everything to talk.

MHM Cisco World · ‎12-18-2023

the ASA use security level when it same the VLAN can connect to each other without any ACL
but for FPR if you out all VLAN in same Zone it can connect to each other
if you make different Zone (this more secure) then you need ACL to allow traffic between Zone.
MHM

TheGoob · ‎12-19-2023

Ah, alright makes sense.
Without knowing why but because it seemed the right thing to do, I made each vlan it’s own zone so I will definitely need to make ACL’s.

I assume the ACL’s should be port specific and not “all” and would have to make 1 for each vlan to access a port on another vlan, I.e

if 192.168.1.77 runs a NAS (SMB) I’d need to make an ACL for each other device to connect… hmm, I suppose I would do 192.168.3.0 and 192.168.4.0 (networks (for example)) ACL to access SMB on 192.168.1.177. Whew that’s gonna be a lot of ACL’s. But I’ll do it .

MHM Cisco World · ‎12-19-2023

Yes. For more secure config different zone and config acl between zone

Goodluck friend

MHM

TheGoob · ‎12-19-2023

Howdy

Was curious..Eventually I will TRUNK the 5 networks but for now, 1 step at a time, being that each network has it's own vlan assigned to it's own Interface, for now, would I leave the Interfaces as SWITCH PORT or PASSIVE...They will be connecting to their own switches [L2].