To Configure different IP segment without Gateway

Razizuddin89 · ‎08-29-2021

I am using FPR 1010 to do some routing. but right now we found out that the PLC for old system doesn't have any gateway ip.My current system are 10.13.x.x with subnet of 255.255.248.0 and the PLC IP are 192.168.x.x with subnet 255.255.248.0.

The question are, how can i connect it with our system? using this FPR 1010. what is the available option to make sure the PLC system can connect to our system.

1- If using routing:- we need to use the gateway as i go through all the document

2-If using NAT:- im not sure if its can be fulfilled or not

Georg Pauwen · ‎08-29-2021

Hello,

what device is the 'PLC' ? Off the top of my head, the only way I can think of to connect to different subnets without a router is some sort of proxy ARP.

Razizuddin89 · ‎08-30-2021

@Georg Pauwen

The PLC are Siemens PLC. can you elaborate more detail on that?

Thanks and Best REgards

Georg Pauwen · ‎08-30-2021

Hello,

the only example I know is two Cisco routers directly connected, but with different IP addresses/subnets on each side. The connectivity still works if both interfaces ARP for whatever IP address is on the other side, which effectively makes a connection possible even if both interfaces are in different subnets. I am not sure if the PLC has the functionality to do that. It would mean you configure a static route pointing to the outgoing interface rather than an IP address, and this would cause the PLC to send an ARP request to whatever is on the other side...

Giuseppe Larosa · ‎08-30-2021

Hello @Razizuddin89 ,

you can use VLAN based subinterfaces creating a new VLAN for the PLC device(s) in that VLAN you will have on the FP an IP address on the subnet expected by the PLC device confgured on the VLAN subinterface.

The firepower should NAT by default ( source NAT) so this should solve the problem if as noted by @Georg Pauwen the FP VLAN based subif has IP Proxy ARP enabled.

Hope to help

Giuseppe

Razizuddin89 · ‎08-30-2021

@Giuseppe Larosa Giuseppe,

Can you gave me some example to do that based on diagram or anything. because we have L1 switch connected to firepower. sorry im a bit slow about this because im new to this type of networking. how can i understand more about this

Giuseppe Larosa · ‎08-30-2021

Hello @Razizuddin89 ,

if your LAN switch cannot be configured , if it is an unmanaged switch the only option I see is to connect the Siemens PLC directly to one unused port on the Firewall that you will configure to have an IP address in the expected IP subnet.

As explained before source based NAT and proxy ARP will do the job.

if your LAN switch can be configured you need to create a new VLAN example VLAN 50 to assign the port connected to the PLC to VLAN 50.

Then you will configure the port between switch and firewall as a trunk on the switch side, that will carry ethernet frames for VLAN 1 and 50.

On the FW side you need to configure a VLAN based subinterface that refers to the port connecting to the switch and using VLAN ID= 50 and with an IP address on the expected subnet of PLC.

Hope to help

Giuseppe

Razizuddin89 · ‎08-30-2021

Hi @Giuseppe Larosa

thanks for the info. We have the managed switch at level one and comig to firewall. Ok i understood on how to do it mostly. But at FW side do i still use the NAT and proxy ARP if using the manages switch?

Giuseppe Larosa · ‎08-30-2021

Hello @Razizuddin89 ,

>> But at FW side do i still use the NAT and proxy ARP if using the manages switch?

Yes you still need it because the PLC has no default gateway so it needs to rely on proxy ARP to be able to reach different IP subnets

The NAT should be automatic on the firepower.

Hope to help

Giuseppe

Razizuddin89 · ‎08-31-2021

@Giuseppe Larosa THanks for all the info. for NAT i think i have the idea to do it, but for proxy ARP what do we need to do for the configuration at the FPR 1010. sorry for troublesome