inter vlan routing behind ASA

Unanswered Question
Feb 10th, 2010

Dear All,

Despite reading some related topics, i was not able to find a solution for my issue.

I would like to set up the following design:

Internet router

|                         outside (security level 0)

Firewall ----------- > NAT for internal networks and a route back to L3 switch..

|                         inside (security level 100)

Layer 3 switch   various VLAN SVI's

|               

Cisco NAC Inband virtual gateway

|

Layer 2 switch       

|

PC's

I have created svis on the layer 3 switch for 15 vlans.(172.16.10.0,172.16.20.0,172.16.30.0,172.16.40.0 etc..) I set up the 192.168.100.0/30 network for the link between the layer 3 switch and the ASA. I do not want to do inter vlan routing on the asa.My issue is:

I want to keep inter vlan routing on the L3 switch and still allow users to have internet access.

Will this setup on the ASA allow me to have access to internet ?

nat (inside) 1 172.16.10.0 255.255.255.0

nat (inside) 2 172.16.20.0 255.255.255.255

nat (inside) 3 172.16.30.0  255.255.255.0

global (outside) 1 interface

route inside 172.16.10.0 255.255.255.0 192.168.100.2

route inside 172.16.20.0 255.255.255.0 192.168.100.2

route inside 172.16.30.0 255.255.255.0 192.168.100.2

with 192.168.100.2 being the routed port of the L3 switch

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Collin Clark Wed, 02/10/2010 - 11:57

nat (inside) 1 172.16.10.0 255.255.255.0

nat (inside) 2 172.16.20.0 255.255.255.255

nat (inside) 3 172.16.30.0  255.255.255.0

The number matches the global statement. Since you don't have a global 2 or 3, those two address spaces would never get NAT'ed.

They should all be under a single number (instead of 1, 2, and 3). Use an ACL to define each of them and then use the ACL in the NAT statement.

access-list extended i_wanna_be_natted permit ip 172.16.10.0 255.255.255.0 any

access-list extended i_wanna_be_natted permit ip 172.16.20.0 255.255.255.0 any

access-list extended i_wanna_be_natted permit ip 172.16.30.0 255.255.255.0 any

nat (inside) 1 access-list i_wanna_be_natted

Hope it helps

trustcisco Wed, 02/10/2010 - 12:46

I have exactly the same setup like you and everything is working  fine.

If you want your vlans to have access to the internet you will need a global statement as Clark said.

e.g

global (outside) 1 interface

nat (inside) 1 access-list nat-out

access-list nat_out extended permit ip object-group PRIVATE-NETS any

where in PRIVATE-NETS you can define all of your internal subnets.

object-group network PRIVATE-NETS

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 172.16.30.0 255.255.255.0


Of course you will need an access-list to define specific access to the internet. The access-list will be applied to your inside interface.

e.g for web access (http only)

access-list INSIDE_IN permit tcp object-group PRIVATE-NETS any eq 80

access-group INSIDE_IN in interface inside

you can be as strict as you like.

Your route statements are correct and they should point as next-hop address the ip address of the routed port of the switch.

hope it helps.

Actions

This Discussion