topic Re: NAT stops working with VLAN on PIX in Network Security

NAT stops working with VLAN on PIX

global-gossip — Mon, 11 Mar 2019 22:09:47 GMT

I have the following devices:

I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).

I had the following setup working without issue:

[Internet] <-----> PIX <-----> 1841 <-----> [LAN]

I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.

I can successfully ping the LAN from the PIX.

I can successfully ping the Internet from the PIX.

I can successfully ping the PIX inside_lan interface from the router

I can not ping the outside interface from the router

I can not ping the Internet from the router

I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down.

Some config:

PIX

interface Ethernet0

nameif outside

security-level 0

ip address 100.100.100.100 255.255.255.248

interface Ethernet1

no nameif

no security-level

no ip address

interface Ethernet1.401

vlan 401

nameif inside_lan

security-level 0

ip address 172.16.2.1 255.255.255.252

....

global (outside) 1 interface

nat (inside_lan) 1 0.0.0.0 0.0.0.0

....

route outside 0.0.0.0 0.0.0.0 100.100.100.100 1

route inside_lan 10.0.8.0 255.255.255.0 172.16.2.2 1

...

fw1(config)# show nat inside_lan outside

match ip inside_lan any outside any

dynamic translation to pool 1 (100.100.100.100 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

1841

interface FastEthernet0/0

no ip address

duplex auto

speed auto

interface FastEthernet0/0.401

encapsulation dot1Q 401

ip address 172.16.2.2 255.255.255.252

interface FastEthernet0/1

no ip address

duplex auto

speed auto

interface FastEthernet0/1.101

encapsulation dot1Q 101

ip address 10.0.8.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.2.1

Anyone have any ideas?

NAT stops working with VLAN on PIX

varrao — Wed, 04 Jan 2012 08:44:46 GMT

The router interface shold be a trunk interface as it is allowing multiple vlans:

interface FastEthernet0/0.401

encapsulation dot1Q 401

switchport mode access

switchport access vlan 401

ip address 172.16.2.2 255.255.255.252

interface FastEthernet0/1

no ip address

switchport mode trunk

switchport trunk allowed vlan 401,101

duplex auto

speed auto

interface FastEthernet0/1.101

encapsulation dot1Q 101

switchport mode access

switchport access vlan 101

ip address 10.0.8.1 255.255.255.0

Hope that helps.

Thanks,

Varun

Re: NAT stops working with VLAN on PIX

global-gossip — Wed, 04 Jan 2012 10:19:21 GMT

I am unable to use the switchport command on the interface I am currently using however it looks like if I change the interface to the HWIC card (FastEthernet0/0/0) then I can issue the command. What is the difference between the inbuilt port and the HWIC? I thought that the built in one was layer 3 (hence why an IP could be assigned) and HWIC was layer 2 only. However, surely a layer 3 port would have layer 2 functionality as well?