Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
2
Replies

NAT stops working with VLAN on PIX

global-gossip
Level 1
Level 1

‎01-04-2012 12:25 AM - edited ‎03-11-2019 03:09 PM

I have the following devices:

I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).

I had the following setup working without issue:

[Internet] <-----> PIX  <-----> 1841  <-----> [LAN]

I then tried to introduce VLANs and now I can not reach the Internet from the LAN.  It seems that no nat translations are taking place.

I can successfully ping the LAN from the PIX.

I can successfully ping the Internet from the PIX.

I can successfully ping the PIX inside_lan interface from the router

I can not ping the outside interface from the router

I can not ping the Internet from the router

I introduced the LAN side VLAN first and everything still worked.  However, once i introduced the VLAN between the router and PIX, things have broken down.

Some config:

PIX

interface Ethernet0
 nameif outside
 security-level 0
 ip address 100.100.100.100 255.255.255.248
!
interface Ethernet1
 no nameif
 no security-level
 no ip address
!
interface Ethernet1.401
 vlan 401
 nameif inside_lan
 security-level 0
 ip address 172.16.2.1 255.255.255.252
!
....
global (outside) 1 interface
nat (inside_lan) 1 0.0.0.0 0.0.0.0
....
route outside 0.0.0.0 0.0.0.0 100.100.100.100 1
route inside_lan 10.0.8.0 255.255.255.0 172.16.2.2 1
...
fw1(config)# show nat inside_lan outside
  match ip inside_lan any outside any
    dynamic translation to pool 1 (100.100.100.100 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0

1841

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 !
!
interface FastEthernet0/0.401
 encapsulation dot1Q 401
 ip address 172.16.2.2 255.255.255.252
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.101
 encapsulation dot1Q 101
 ip address 10.0.8.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.2.1

Anyone have any ideas?

Labels:
0 Helpful
2 Replies 2

varrao
Level 10
Level 10

‎01-04-2012 12:44 AM

The router interface shold be a trunk interface as it is allowing multiple vlans:

interface FastEthernet0/0.401

encapsulation dot1Q 401

switchport mode access

switchport access vlan 401

ip address 172.16.2.2 255.255.255.252

!

interface FastEthernet0/1

no ip address

switchport mode trunk

switchport trunk allowed vlan 401,101

duplex auto

speed auto

!

interface FastEthernet0/1.101

encapsulation dot1Q 101

switchport mode access

switchport access vlan 101

ip address 10.0.8.1 255.255.255.0

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

global-gossip
Level 1
Level 1
In response to varrao

‎01-04-2012 02:19 AM

I am unable to use the switchport command on the interface I am currently using however it looks like if I change the interface to the HWIC card (FastEthernet0/0/0) then I can issue the command.  What is the difference between the inbuilt port and the HWIC?  I thought that the built in one was layer 3 (hence why an IP could be assigned) and HWIC was layer 2 only.  However, surely a layer 3 port would have layer 2 functionality as well?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card