Solved: L3 VLANs to ASA NAT Issue

Ammit · ‎02-18-2018

Hay guys

I have a L3 switch with multiple vlans and inter-vlan routing going on. The L3 switch connects to an ASA appliance which splits to the outside and a DMZ. I have configured NAT and the servers in the DMZ can ping outside and NAT takes places as expected. The hosts of the network on the other hand ping to the outside and the packets gets dropped by the router I am pinging because NAT hasn't taken place and I don't know why. I have set static routes on the ASA to each vlan and a static route between the L3 switch and ASA. Any ideas whats happening?

I have attached some images on the network on PT and here is the ASA config;

ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.168.1.2 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.168.2.1 255.255.255.0
!
object network inside-dmz
 subnet 172.168.2.0 255.255.255.0
object network inside-floor1-it
 subnet 10.1.0.0 255.255.255.0
object network inside-net
 subnet 10.0.0.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.168.1.1 1
route inside 10.1.10.0 255.255.255.0 10.0.0.1 1
route inside 10.1.20.0 255.255.255.0 10.0.0.1 1
route inside 10.1.30.0 255.255.255.0 10.0.0.1 1
route inside 10.2.10.0 255.255.255.0 10.0.0.1 1
route inside 10.2.20.0 255.255.255.0 10.0.0.1 1
route inside 10.2.30.0 255.255.255.0 10.0.0.1 1
route inside 10.3.30.0 255.255.255.0 10.0.0.1 1
route inside 10.3.20.0 255.255.255.0 10.0.0.1 1
route inside 10.3.10.0 255.255.255.0 10.0.0.1 1
route inside 10.0.0.0 255.255.255.0 10.0.0.1 1
!
!
!
object network inside-dmz
 nat (DMZ,outside) dynamic interface
object network inside-floor1-it
 nat (inside,outside) dynamic interface
object network inside-net
 nat (inside,outside) dynamic interface
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!

Julio E. Moisa · ‎02-18-2018

Hi,

Have you configured the ACLs to allow the communication and also you need to create the access-groups to associate the ACLs to the interfaces.

Also remember configure the routes to reach the internal networks on the router.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎02-18-2018

Hi,

Have you configured the ACLs to allow the communication and also you need to create the access-groups to associate the ACLs to the interfaces.

Also remember configure the routes to reach the internal networks on the router.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Ammit · ‎02-18-2018

Would I need to create objects on the ASA for each subnet?

Ammit · ‎02-18-2018

Got it working dude, you were right thanks alot :)

Julio E. Moisa · ‎02-18-2018

Hi

You are welcome, Im glad to hear that

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

delafuente · ‎02-01-2019

Hi Ammit, Any chance you could post the new configurations please???

Thx and regards