Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1574
Views
10
Helpful
12
Replies

Allowing internet (NAT) from Cisco ASA via Cisco SW-C9300

gal.avichid
Level 1
Level 1

‎12-09-2022 09:20 AM

Hi Guys,

I am trying to allow internet with NAT to one computer in our network but I guess i miss something.

CISCO ASA FW - p1/WAN (can ping 8.8.8.8)

CISCO ASA FW - p2/10.5.100.254

SW - p25 (defined as access port VLAN 100 - 10.5.100.1)

to the same sw, machineA is connected, IP - 10.5.100.50 (port defined as access port VLAN 100)

Now, I can ping the Cisco ASA from machineA and vice versa.

I have add NAT Rule for 10.5.100.50 via WAN port.

I still can't ping or get internet on machineA.

Tried using packettracer on FW, seems to be fine:

galavichid_0-1670606230644.png

Tried to tracert from machineA:

galavichid_2-1670606350159.png

galavichid_3-1670606367658.png

Happy to get any suggestion

Thanks

 

 

 

Labels:
0 Helpful
12 Replies 12

Rob Ingram
VIP
VIP

‎12-09-2022 09:35 AM

@gal.avichid please run the packet-tracer from the CLI and provide the full output.

Please provide the running configuration, remove public IP address/sensitivie information etc.

0 Helpful

gal.avichid
Level 1
Level 1

‎12-09-2022 01:54 PM

Attached both

Thank you

Preview file
4 KB
Preview file
2 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to gal.avichid

‎12-09-2022 02:01 PM

@gal.avichid does the client computer have the ASA admin interface IP 10.5.100.254 as its default gateway? And a DNS is configured? If using a local DNS server can that server access the Internet to resolve external host names?

gal.avichid
Level 1
Level 1
In response to Rob Ingram

‎12-09-2022 02:05 PM

@Rob Ingram the default gateway of the client is 10.5.100.1, which is the default gateway of the VLAN of the Switch - i guess there is my bottle neck?

The DNS is the Domain Controller address, not using it to resolve external host names.

0 Helpful

Rob Ingram
VIP
VIP
In response to gal.avichid

‎12-09-2022 02:09 PM - edited ‎12-09-2022 02:14 PM

@gal.avichid setup a routed vlan on a different network between the switch and the ASA, this can be a /30 if just 1 ASA/switch. You then need a static route on the ASA to the 10.5.100.0/24 as it would no longer be directly connected.

You would also need to define a default route on the switch, with the ASA interface as the next hop.

0 Helpful

gal.avichid
Level 1
Level 1
In response to Rob Ingram

‎12-09-2022 02:13 PM

@Rob Ingram I could fix it also with just set a route from machineA

route -p add 0.0.0.0 mask 0.0.0.0 10.5.100.254

Thanks ROB!

0 Helpful

Rob Ingram
VIP
VIP
In response to gal.avichid

‎12-09-2022 02:20 PM

@gal.avichid you can, but that's a really bad design. Let the switch do the routing as suggested.

0 Helpful

gal.avichid
Level 1
Level 1
In response to Rob Ingram

‎12-09-2022 03:11 PM

@Rob Ingram If i understood right, you suggesting for example change the ASA interface to 10.5.110.X/30

on the SW create new VLAN 110   

add static route on the ASA 10.5.100.0/24

add route on the SW for the next hop to 10.5.110.X

0 Helpful

Rob Ingram
VIP
VIP
In response to gal.avichid

‎12-10-2022 12:11 AM

@gal.avichid yes.

Create a new VLAN on the switch 10.5.110.2/30 and add the interface connecting to the ASA into that VLAN
Enable ip routing on the switch (if it isn't already)
Create a static route via the ASA - "ip route 0.0.0.0 0.0.0.0 10.5.110.1"
Reconfigure the "admin" interface on the ASA with IP address 10.5.110.1/30
Create a static route on the ASA to the inside networks - "route admin 10.5.100.0 255.255.255.0 10.5.110.2"

If you've only 1 VLAN on your switch then you could change the default gateway of all the computers to be the ASA IP address....but if you've got mulitple VLANs or you plan to, the procedure above is simpliest.

gal.avichid
Level 1
Level 1
In response to Rob Ingram

‎12-13-2022 09:11 AM

Hi Rob,

How that will work if Ill try to share internet with a machine on different subnet? (10.6.100.X)

This machine is connect to different SW (with multiple VLANS) and uplink to the SW I was working on the previous message.

I will need to create another VLAN just with 10.6.X.X and route the rest as same you mentioned up?

Thank you

0 Helpful

Rob Ingram
VIP
VIP
In response to gal.avichid

‎12-13-2022 09:17 AM - edited ‎12-13-2022 10:24 AM

@gal.avichid if the 9300 is the core switch, all traffic from the other VLANs would be routed to the ASA.

You will need NAT rules on the ASA for each additional network (VLAN) on the switches.

object network LAN-B
 subnet 10.6.100.0 255.255.255.0
 nat (admin,outside) dynamic interface

On the ASA you will need routes to each of these additional networks, i.e.-

route admin 10.6.100.0 255.255.255.0 10.5.110.2

Repeat for each network appropriately.

This is why I suggested routing properly, rather than using a static route on the computer.

0 Helpful

MHM Cisco World
VIP
VIP

‎12-09-2022 03:22 PM

friend this host is get IP from DHCP ? if yes, disable DHCP in host 
config manual IP (exclude this ip from DHCP)
config default gateway to be your admin interface IP 

this make host use ASA as gateway and can access internet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card