Solved: RE: Double NAT issue with additional L3 device on the network

tdotvix1982 · ‎07-28-2011

Hi Experts,

This is pretty much my frist time installing an L3 device on a LAN network. Never assumed there could be so many issues while installing an L3 switch on the LAN. Routing on the WAN network is so much more different really. Anyhow, my question is the following:

I have been asked to install an L3 3750 switch on a LAN network which was previously running a flat L2 network. We are proposing to perform inter-vlan routing for all the VLANs behind the switch. However things started looking more and more complex as we were told of a firewall device which is running in routed mode and has a site-to-site VPN to the clients' HO and is performing NAT between different IP schemes at the HO and the branch. We will be installing the L3 switch at the branch. Now the issue I am thinking which will pop-up could be to do with double NATTING of addresses. So basically the HO addresses are NATTED to a different IP address scheme running between the firewall and the L3 switch. Now another NATTING of addresses would be performed to the IP addresses runinng in the VLANs behind the L3 switch. We are using static routes across the network. Previously all the natting was being performed at the firewall. Now would I need to perform static network translations to servers with static IP addresses for instance ones in any one of the VLANs on the L3 switch as well?

I have also attached a simple network diagram for this scenario with this post. PFA for graphical representation of the setup. Please do shower in any input you may have.

Thanks,

Vick.

lgijssel · ‎07-28-2011

Hi Vick,

Normally you do not perform NAT on a L3 switch. Probably it isn't even in the feature set.

All NAT config remains in the firewall.

Define vlans for all existing subnets on the 3750, attach them to the corect interfaces and enable L3 switching.

What you need to do next is introduce a new subnet between the FW and the 3750.

This will be used as a transit to route between the two.

The FW gets static routes for all subnets behind the 3750, the 3750 needs a default route pointing to the FW.

Hope this helps.

regards,

Leo

View solution in original post

lgijssel · ‎07-28-2011

Hi Vick,

Normally you do not perform NAT on a L3 switch. Probably it isn't even in the feature set.

All NAT config remains in the firewall.

Define vlans for all existing subnets on the 3750, attach them to the corect interfaces and enable L3 switching.

What you need to do next is introduce a new subnet between the FW and the 3750.

This will be used as a transit to route between the two.

The FW gets static routes for all subnets behind the 3750, the 3750 needs a default route pointing to the FW.

Hope this helps.

regards,

Leo

Jon Marshall · ‎07-28-2011

Just to add to Leo's reply.

NAT is only supported on 6500 switches so you can't do NAT on a 3750.

But it's not clear from our description why you need to do double natting. Just do as Leo says and setup the L3 vlans on the 3750 and route them on that. Then point them to the firewall for any non local traffic.

Jon

tdotvix1982 · ‎07-29-2011

Hi guys,

Thanks a lot for affirming that. It's just that normally when you go through an L3 device you would expect to NAT at the last hop. For eg. at a router or firewall which can 'route' traffic. Atleast that's the way I've always done it. Taking this concept further, I was quite confused about performing routing on the LAN. Thanks for all the help with this.

Thanks,

Waqas.