Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10787
Views
0
Helpful
4
Replies

Static NAT to Layer 3 Intervlan Switch

Go to solution
Colourful
Level 1
Level 1

‎02-23-2013 01:05 PM - edited ‎03-07-2019 11:54 AM

I have a design in mind which would implement a layer 3 switch with 3 VLANs, all vlan would point at the switch as the default gateway and then the switch would route all traffic to a ASA Firewall. My question relates to how would I create a static NAT to an internal device from the firewall. I'm familar with a "Router on a Stick" concept and how the firewall has direct access to the VLAN.

I have attached a document for a sketched view.

Kind regards,

Jake        

Labels:
15355335-InterRouting NAT ISSUE.vsd.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Colourful

‎02-24-2013 07:07 AM

Hi,

Correct, you configure the firewall with NAT and let it route traffic to the layer-3 switch and the switch takes it from there.

If you have ASDM installed, you can use it to do dynamic NAT.  This link shows you step by step configuration to create the objects, NAT poll and NAT rules. 

And would the link between the firewall and switch require a trunk?

No, since your network is a routed network and you have a /30s between switch 1,2,3 and the core and also between the core and the firewall, I am assuming you are running a dynamic routing protocol or static routes.  Either way, there firewall should know about 192.168.0.0/24 192.168.1.0/24 and 192.168.2.0/24.  So, there is no need for a trunk.

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/nat_objects.html

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-23-2013 08:53 PM

You can use NAT in routed mode on the ASA.  Have a look at this config guide for an example:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1102717

HTH

0 Helpful

Go to solution
Colourful
Level 1
Level 1
In response to Reza Sharifi

‎02-23-2013 11:21 PM

Hi Reza,

Okay so that is the normal NAT that allows internal traffic to gain access to the internet. But what about configuring PAT? Would the commands be the same. For example if I had 4 Vlans an Internal layer 3 switch

192.168.0.1/24    - Servers

192.168.0.2/24   - Clients

192.168.0.3/24   - Clients

102.168.0.4/24   - Phones

If i wanted to create a static PAT on the ASA to the server VLAN, would it be the same as a Router on a stick config? so something like - Static (Inside,Outside) Internal Host, Port Number - External Address port number, Would the firewall just forward traffic to the layer 3 switch and then the switch would take it from there? And would the link between the firewall and switch require a trunk?

0 Helpful

Go to solution
Colourful
Level 1
Level 1
In response to Colourful

‎02-24-2013 04:25 AM

See this Lab environment for more info. So what config would I input into the Firewall to PAT over to an internal server/client?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Colourful

‎02-24-2013 07:07 AM

Hi,

Correct, you configure the firewall with NAT and let it route traffic to the layer-3 switch and the switch takes it from there.

If you have ASDM installed, you can use it to do dynamic NAT.  This link shows you step by step configuration to create the objects, NAT poll and NAT rules. 

And would the link between the firewall and switch require a trunk?

No, since your network is a routed network and you have a /30s between switch 1,2,3 and the core and also between the core and the firewall, I am assuming you are running a dynamic routing protocol or static routes.  Either way, there firewall should know about 192.168.0.0/24 192.168.1.0/24 and 192.168.2.0/24.  So, there is no need for a trunk.

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/nat_objects.html

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card