cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10260
Views
0
Helpful
4
Replies

Static NAT to Layer 3 Intervlan Switch

Colourful
Level 1
Level 1

I have a design in mind which would implement a layer 3 switch with 3 VLANs, all vlan would point at the switch as the default gateway and then the switch would route all traffic to a ASA Firewall. My question relates to how would I create a static NAT to an internal device from the firewall. I'm familar with a "Router on a Stick" concept and how the firewall has direct access to the VLAN.

I have attached a document for a sketched view.

Kind regards,

Jake        

1 Accepted Solution

Accepted Solutions

Hi,

Correct, you configure the firewall with NAT and let it route traffic to the layer-3 switch and the switch takes it from there.

If you have ASDM installed, you can use it to do dynamic NAT.  This link shows you step by step configuration to create the objects, NAT poll and NAT rules. 

And would the link between the firewall and switch require a trunk?

No, since your network is a routed network and you have a /30s between switch 1,2,3 and the core and also between the core and the firewall, I am assuming you are running a dynamic routing protocol or static routes.  Either way, there firewall should know about 192.168.0.0/24 192.168.1.0/24 and 192.168.2.0/24.  So, there is no need for a trunk.

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/nat_objects.html

HTH

View solution in original post

4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

You can use NAT in routed mode on the ASA.  Have a look at this config guide for an example:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1102717

HTH

Hi Reza,

Okay so that is the normal NAT that allows internal traffic to gain access to the internet. But what about configuring PAT? Would the commands be the same. For example if I had 4 Vlans an Internal layer 3 switch

192.168.0.1/24    - Servers

192.168.0.2/24   - Clients

192.168.0.3/24   - Clients

102.168.0.4/24   - Phones

If i wanted to create a static PAT on the ASA to the server VLAN, would it be the same as a Router on a stick config? so something like - Static (Inside,Outside) Internal Host, Port Number - External Address port number, Would the firewall just forward traffic to the layer 3 switch and then the switch would take it from there? And would the link between the firewall and switch require a trunk?

See this Lab environment for more info. So what config would I input into the Firewall to PAT over to an internal server/client?

Hi,

Correct, you configure the firewall with NAT and let it route traffic to the layer-3 switch and the switch takes it from there.

If you have ASDM installed, you can use it to do dynamic NAT.  This link shows you step by step configuration to create the objects, NAT poll and NAT rules. 

And would the link between the firewall and switch require a trunk?

No, since your network is a routed network and you have a /30s between switch 1,2,3 and the core and also between the core and the firewall, I am assuming you are running a dynamic routing protocol or static routes.  Either way, there firewall should know about 192.168.0.0/24 192.168.1.0/24 and 192.168.2.0/24.  So, there is no need for a trunk.

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/nat_objects.html

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: