cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1572
Views
10
Helpful
12
Replies

Allowing internet (NAT) from Cisco ASA via Cisco SW-C9300

gal.avichid
Level 1
Level 1

Hi Guys,

I am trying to allow internet with NAT to one computer in our network but I guess i miss something.

CISCO ASA FW - p1/WAN (can ping 8.8.8.8)

CISCO ASA FW - p2/10.5.100.254

SW - p25 (defined as access port VLAN 100 - 10.5.100.1)

to the same sw, machineA is connected, IP - 10.5.100.50 (port defined as access port VLAN 100)

Now, I can ping the Cisco ASA from machineA and vice versa.

I have add NAT Rule for 10.5.100.50 via WAN port.

I still can't ping or get internet on machineA.

Tried using packettracer on FW, seems to be fine:

galavichid_0-1670606230644.png

Tried to tracert from machineA:

galavichid_2-1670606350159.png

galavichid_3-1670606367658.png

Happy to get any suggestion

Thanks

 

 

 

12 Replies 12

@gal.avichid please run the packet-tracer from the CLI and provide the full output.

Please provide the running configuration, remove public IP address/sensitivie information etc.

gal.avichid
Level 1
Level 1

Attached both

Thank you

@gal.avichid does the client computer have the ASA admin interface IP 10.5.100.254 as its default gateway? And a DNS is configured? If using a local DNS server can that server access the Internet to resolve external host names?

@Rob Ingram the default gateway of the client is 10.5.100.1, which is the default gateway of the VLAN of the Switch - i guess there is my bottle neck?

The DNS is the Domain Controller address, not using it to resolve external host names.

@gal.avichid setup a routed vlan on a different network between the switch and the ASA, this can be a /30 if just 1 ASA/switch. You then need a static route on the ASA to the 10.5.100.0/24 as it would no longer be directly connected.

You would also need to define a default route on the switch, with the ASA interface as the next hop.

@Rob Ingram I could fix it also with just set a route from machineA

route -p add 0.0.0.0 mask 0.0.0.0 10.5.100.254

Thanks ROB!

@gal.avichid you can, but that's a really bad design. Let the switch do the routing as suggested.

@Rob Ingram If i understood right, you suggesting for example change the ASA interface to 10.5.110.X/30

on the SW create new VLAN 110   

add static route on the ASA 10.5.100.0/24

add route on the SW for the next hop to 10.5.110.X

@gal.avichid yes.

Create a new VLAN on the switch 10.5.110.2/30 and add the interface connecting to the ASA into that VLAN
Enable ip routing on the switch (if it isn't already)
Create a static route via the ASA - "ip route 0.0.0.0 0.0.0.0 10.5.110.1"
Reconfigure the "admin" interface on the ASA with IP address 10.5.110.1/30
Create a static route on the ASA to the inside networks - "route admin 10.5.100.0 255.255.255.0 10.5.110.2"

If you've only 1 VLAN on your switch then you could change the default gateway of all the computers to be the ASA IP address....but if you've got mulitple VLANs or you plan to, the procedure above is simpliest.

Hi Rob,

How that will work if Ill try to share internet with a machine on different subnet? (10.6.100.X)

This machine is connect to different SW (with multiple VLANS) and uplink to the SW I was working on the previous message.

I will need to create another VLAN just with 10.6.X.X and route the rest as same you mentioned up?

Thank you

@gal.avichid if the 9300 is the core switch, all traffic from the other VLANs would be routed to the ASA.

You will need NAT rules on the ASA for each additional network (VLAN) on the switches.

object network LAN-B
 subnet 10.6.100.0 255.255.255.0
 nat (admin,outside) dynamic interface

On the ASA you will need routes to each of these additional networks, i.e.-

route admin 10.6.100.0 255.255.255.0 10.5.110.2

Repeat for each network appropriately.

This is why I suggested routing properly, rather than using a static route on the computer.

friend this host is get IP from DHCP ? if yes, disable DHCP in host 
config manual IP (exclude this ip from DHCP)
config default gateway to be your admin interface IP 

this make host use ASA as gateway and can access internet.

Review Cisco Networking for a $25 gift card