Showing results for 
Search instead for 
Did you mean: 

ISA570 not NAT'ing Alternate Subnets


This is my first time using the ISA570 having used the SA500 in the past.

Our setups are straight forward, on small sites we a SG300/500 handling intervlan routing and a ISA500 series handling access to the internet etc.

For example we have four VLANs, management/data/wifi/voice.  The ISA570 is in the management vlan1 with static routes to the subnets for data vlan, wifi vlan and voice vlan.

Devices in the management vlan with a default GW of the SG300 can connect to the internet without issue.

Devices in the data vlan can access the ISA500 in the management vlan and vice a versa.

However for some reason devices in the data vlan cannot access the internet.

A trace route will confirm the request reaches the ISA500 but then stops.

Packet captures show the ISA500 presenting the private IP addresses of other subnets to the internet instead of NATing them.

It will happily NAT any device on the same subnet as itself but will not NAT other subnets.

Latest firmware is installed

Anyone seen this or have any idea?




When you setup the VLANs, did you also setup a DHCP scope? You might also check the NAT/PAT settings under Firewall as it should have automatically created the necessary entries. If not, create a NAT entry for the VLANs needing access to the Internet and use the appropriate WAN interface in the configuration.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Thanks for your reply.

I may not have explained my set up correctly.

The ISA570 is only being used for internet access, it is not performing any intervlan routing, the Layer 3 switch is taking care of all that.  The Layer 3 switch default route is the ISA570.

The ISA doesn't interact with the other VLAN's directly, just forwarding traffic to the statically assigned routes configured to direct traffic for the relevant subnets, but the ISA570 is not VLAN aware in this instance and is only a member of one subnet.  So DHCP is not even required at this point and will be handled else where anyway, all devices are statically assigned at the moment.

So for example the gateway for all devices is the Layer 3 switch.  The default route for the Layer 3 switch is the ISA570.

The ISA570 is not VLAN aware and has static routes for each subnet i.e. data subnet etc. with a default route as the Layer 3 switch.

Hopefully that makes a bit more sense.

It's a very straightforward set up at this point.

So as an example a device on the same subnet as the ISA570 with a default GW as the Layer 3 switch performs a ping to google on a capture taken on the outside shows a source address of my NAT'd public IP and a destination as, this all being correct.

Now a device on the data VLAN with an IP of performs a ping to google on, the packet first hits the Layer 3 switch which is then forwarded to its default route as the ISA570, the ISA570 forwards it on to its default route being my ISP's public IP GW.  A capture taken from the outside will show a source address as being my un-NAT'd private IP with a destination of, naturally this fails.