Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT stops working with VLAN on PIX

I have the following devices:

I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).

I had the following setup working without issue:

[Internet] <-----> PIX  <-----> 1841  <-----> [LAN]

I then tried to introduce VLANs and now I can not reach the Internet from the LAN.  It seems that no nat translations are taking place.

I can successfully ping the LAN from the PIX.

I can successfully ping the Internet from the PIX.

I can successfully ping the PIX inside_lan interface from the router

I can not ping the outside interface from the router

I can not ping the Internet from the router

I introduced the LAN side VLAN first and everything still worked.  However, once i introduced the VLAN between the router and PIX, things have broken down.

Some config:

PIX

interface Ethernet0

nameif outside

security-level 0

ip address 100.100.100.100 255.255.255.248

!

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.401

vlan 401

nameif inside_lan

security-level 0

ip address 172.16.2.1 255.255.255.252

!

....

global (outside) 1 interface

nat (inside_lan) 1 0.0.0.0 0.0.0.0

....

route outside 0.0.0.0 0.0.0.0 100.100.100.100 1

route inside_lan 10.0.8.0 255.255.255.0 172.16.2.2 1

...

fw1(config)# show nat inside_lan outside

  match ip inside_lan any outside any

    dynamic translation to pool 1 (100.100.100.100 [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

1841

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface FastEthernet0/0.401

encapsulation dot1Q 401

ip address 172.16.2.2 255.255.255.252

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.101

encapsulation dot1Q 101

ip address 10.0.8.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 172.16.2.1

Anyone have any ideas?

Everyone's tags (4)
2 REPLIES
Red

NAT stops working with VLAN on PIX

The router interface shold be a trunk interface as it is allowing multiple vlans:

interface FastEthernet0/0.401

encapsulation dot1Q 401

switchport mode access

switchport access vlan 401

ip address 172.16.2.2 255.255.255.252

!

interface FastEthernet0/1

no ip address

switchport mode trunk

switchport trunk allowed vlan 401,101

duplex auto

speed auto

!

interface FastEthernet0/1.101

encapsulation dot1Q 101

switchport mode access

switchport access vlan 101

ip address 10.0.8.1 255.255.255.0

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: NAT stops working with VLAN on PIX

I am unable to use the switchport command on the interface I am currently using however it looks like if I change the interface to the HWIC card (FastEthernet0/0/0) then I can issue the command.  What is the difference between the inbuilt port and the HWIC?  I thought that the built in one was layer 3 (hence why an IP could be assigned) and HWIC was layer 2 only.  However, surely a layer 3 port would have layer 2 functionality as well?

520
Views
0
Helpful
2
Replies
CreatePlease to create content