We recently split our network into three segments. We have numerous devices (door panels, heating/ac system, etc.) in segments 2 and 3 that need to be accessible from segment 1. For the most part, using NAT rules to map the devices to IPs in segment 1’s subnet has worked. But we cannot for the life of us see the network switches directly. We have a bit of a workaround by NATting a server (this is OS X) at each location and using ARD to control them remotely. But we have some network monitoring software that is unable to monitor the network switches in the other two locations because it just can’t see them. As a result we don’t get notified if one goes down.
Is there something about switches (mostly HP) that prevents them from being accessible outside the local network regardless of firewall and NAT rules?
They probably have a different range of IP addresses. Find the range of the switches, and put a second NIC in a PC and give it an address in that range. Then that PC can see the switches with a browser.
I’ve done this at a school, PM or email me if you would like.
They do have different IPs now, but there are NAT rules mapping their old IPs to the new ones. The monitoring software has to think that all the devices it’s monitoring are on the same subnet. The NAT rules work for the printers, door panels, hvac system, the Mac servers we need to administer remotely, etc., but the switches won’t even respond to a ping from outside the firewall. We already tried manually assigning an address in the other subnet range, but that only succeeded in cutting the computer off from its own network.
To give a hopefully clearer picture, if the HVAC controller previously was at X.A.1.1, after segmenting it’s at Y.B.1.1. We put in a NAT rule on the new intervening firewall mapping Y.B.1.1 to X.A.1.1. Devices on the X.A.x.x subnet can ping the HVAC controller at X.A.1.1 and devices on the Y.B.x.x. subnet can ping it at Y.B.1.1. Same with printers and door panels, and computers. This works with any device we need to be able see from outside the firewall except the network switches. Because the NAT rules are identical except for the IPs, it appears that the switches are just refusing to respond.
If you put a second NIC in a PC, there is less stuff to not work.
Does a NAT rule deal with the subnet mask, or that is that even a problem?
Stick the switch IP range onto a laptop and see what happens.
Normally when something does not work like that, the first thing I double-check is the gateway setting on the target (in this case, the switch). Perhaps X.A.1.22 can reach Y.B.1.2, but the return packet does not know where to go to get back.
If the firewall NATs both ways, then presumably the process is that the firewall on both sides responds to ARP to say “x.x.x.x? That’s me! Send to my MAC address”. Can you detect that?
Some managed switches have diagnostic capability. Can you ping FROM the switch to the other side?
