Solved: Re: Layer 3 Vlan with Pix router, NAT issues, Please help

sean chang · ‎10-03-2011

Our enviroment: backbone switch Catalsyt 3560X with Layer 3 inter-Vlan routing

Router: Pix 515E , software version 8.0.4

we have L3 vlans using VTP on the switches, inter-vlan working, 2 Vlans are as the following:

vlan 1 : 10.1.1.1/255.255.0.0

vlan192: 192.168.1.1/255.255.255.0

the switch default gateway:10.1.1.254, which is the INSIDE interface IP of Pix515E, ALL Nat on vlan 1 is working fine.

Question: how do I configure NAT for vlan 192?

so far I have tried the following without results:

1. Configure a Vlan 192 on INSIDE interface on PIX with IP=192.168.1.2/24-------Not working

2.Configre a Vlan on INSIDE interface on PIX without IP address------NOT working

3. Don't configure any Interface on PIX for vlan 192----not working

In all cases, PIX says something like "No translation group found for tcp src inside:192.168.1.3/3000 dst=www.oracle.com" ...

I have googled for a while and run out of my wits now. Any suggestions and advices are greatly appreicated

Jon Marshall · ‎10-03-2011

If you are routing on the L3 switch then you don't configure a vlan 192 interface on the pix.

When you say the default-gateway for the switch is the pix inside interface do you mean on the 3560 you have -

ip route 0.0.0.0 0.0.0.0 10.1.1.254

If so then you just need to setup NAT on the pix and add a route to the pix for the vlan 192 subnet.

The nat depends on what you already have ie. if you have

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

then that should cover the vlan 192 subnet as well. If you have -

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

then just add -

nat (inside) 1 192.168.1.0 255.255.255.0

you also need a route on the pix as mentioned ie.

route inside 192.168.1.0 255.255.255.0

If the routing is being done off the pix for these vlans then please come back with more details.

Edit - took out last bit about different setup so as not to confuse current issue.

Jon

View solution in original post

dominic.caron · ‎10-03-2011

Please provide the nat config of your firewall

Line beginning with : static, global or nat

Jon Marshall · ‎10-03-2011

If you are routing on the L3 switch then you don't configure a vlan 192 interface on the pix.

When you say the default-gateway for the switch is the pix inside interface do you mean on the 3560 you have -

ip route 0.0.0.0 0.0.0.0 10.1.1.254

If so then you just need to setup NAT on the pix and add a route to the pix for the vlan 192 subnet.

The nat depends on what you already have ie. if you have

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

then that should cover the vlan 192 subnet as well. If you have -

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

then just add -

nat (inside) 1 192.168.1.0 255.255.255.0

you also need a route on the pix as mentioned ie.

route inside 192.168.1.0 255.255.255.0

If the routing is being done off the pix for these vlans then please come back with more details.

Edit - took out last bit about different setup so as not to confuse current issue.

Jon

sean chang · ‎10-03-2011

Thank you Jon, you nailed it. Your solution saves me lots of time and trouble.

My shortened NAT looks like this way: ( in Catalyst switch 3560X, I did have:

ip route 0.0.0.0 0.0.0.0 10.1.1.254 )

global (outside) 10 interface

global (dmz2) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 10.1.0.0 255.255.0.0

nat (inside) 10 192.168.1.0 255.255.255.0<------newly added according to Jon's advice

but the most critical part of which I never thought about is this line:

route inside 192.168.1.0 255.255.255.0 10.1.1.1 ( I have been trying: route inside 192.168.1.0 255.255.255.0 10.1.1.254 before without success, I did not know this Vlan 192 should use L3 Vlan IP of the default network)

Again, I really appreciate your great advices.