Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2006
Views
0
Helpful
1
Replies

ASA 5505 - Layer 3 Switch - NAT for VLANs

joko11
Level 1
Level 1

‎07-30-2018 06:43 AM - edited ‎02-21-2020 08:02 AM

Hello,

 

I am currently working with Cisco PacketTracer to develop a basic set up with a Layer 3 Switch and an ASA.

 

The Layer 3 Switch is managing multiple VLANs and has got a routed(no switchport) uplink port to an ASA 5505. The Layer 3 Switch is there for the Inter-VLAN routing.

 

I need to establish a NAT on the ASA into a different Network. I configured it following different online Guides and reading upon common errors and problems. Still I can't get it working for the VLANs.

It is possible for me to ping with the Layer 3 Switch through the ASA in the Network behind. When i try to ping with a PC from one of the VLANs and I observe the packets in simulation mode, no NAT is happening.

 

I configured a default gateway on the L3 Switch and the ASA, the ASA also has the static routes to route back to the VLANs. I don't know what I am missing. I would really appreciate your help.

 

L3 and ASA configs ara attached.

 

L3

Switch#sh run
Building configuration...

Current configuration : 1738 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/3
 switchport access vlan 30
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/4
 no switchport
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
!
interface Vlan10
 mac-address 0000.0c42.3d01
 ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
 mac-address 0000.0c42.3d02
 ip address 192.168.20.254 255.255.255.0
!
interface Vlan30
 mac-address 0000.0c42.3d03
 ip address 192.168.30.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1 
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end


Switch#

ASA:

ciscoasa(config-if)#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.10.254 255.255.0.0
!
interface Vlan9
 no nameif
 no security-level
 no ip address
!
interface Vlan10
 no nameif
 no security-level
 no ip address
!
object network NAT
 subnet 192.168.1.0 255.255.255.0
object network NATV-LAN10
 subnet 192.168.10.0 255.255.255.0
object network NATV-LAN20
 subnet 192.168.20.0 255.255.255.0
object network NATV-LAN30
 subnet 192.168.30.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.10.253 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.20.0 255.255.255.0 192.168.1.2 1
route inside 192.168.30.0 255.255.255.0 192.168.1.2 1
!
!
!
object network NAT
 nat (inside,outside) dynamic interface
object network NATV-LAN10
 nat (inside,outside) dynamic interface
object network NATV-LAN20
 nat (inside,outside) dynamic interface
object network NATV-LAN30
 nat (inside,outside) dynamic interface
!
!
!
!
class-map test
 match default-inspection-traffic
!
policy-map ICMP
 class test
  inspect icmp 
!
service-policy ICMP global
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
!
!

 

Thanks and regards,

joko11

3 people had this problem
Preview file
4 KB
0 Helpful
1 Reply 1

rajan31
Level 1
Level 1

‎10-08-2021 05:30 AM - edited ‎10-08-2021 05:34 AM

Same thing is happening with me, the NAT is not working for VLANs. But when I ping the outside server from layer-3 switch the NAT is working. I think Packet Tracer may have a bug.

 

Please provide the solution if you got it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card