01-26-2010 07:34 AM - edited 03-06-2019 09:27 AM
I'm in the process of setting up a 3560G alongside an ASA 5505. What I'd like to do is have all traffic from vlan 10 to the internet be routed to 192.168.16.2 (the 'blue' inside interface), and all traffic from vlan 20 to the internet be routed to 192.168.17.2 (the 'green' inside interface), so that the traffic can be natted properly. I'd also like to keep my interVLAN routing. The problem is that currently, traffic from vlan 20 is being routed to 192.168.16.2 (which is on vlan 10) because of the route statement on the 3560, and the traffic doesn't get nat-translated. Traffic from vlan 10 flows to the internet properly. Is PBR on the switch my solution here? How would I implement it?
My config looks similar to:
(3560)
interface vlan 10
ip address 192.168.16.1 255.255.255.0
interface vlan 20
ip address 192.168.17.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.16.2
(asa)
interface vlan 2
nameif outside
security-level 0
ip address 200.1.1.1 255.255.255.248
interface vlan 10
nameif blue
security-level 100
ip address 192.168.16.2 255.255.255.0
interface vlan 20
nameif green
security-level 100
ip address 192.168.17.2 255.255.255.0
global (outside) 1 interface
global (outside) 2 200.1.1.2
global (outside) 3 200.1.1.3
nat (blue) 1 192.168.16.0 255.255.255.0
nat (blue) 2 192.168.16.6 255.255.255.255
nat (green) 3 192.168.17.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 200.1.1.6 1
Solved! Go to Solution.
01-26-2010 10:25 AM
In that case you wouldnt require PBR right ? All packets hit your VLAN SVI, and are forwarded to the ASA inside interface (blue segment). ASA would then do a NAT for both the 16.x & 17.x outside on either the interface IP or 200.1.1.2 ! reverse traffic would come as expected through the firewall.. so simply you can remove the third NAT statement created for Green....
Raj
01-26-2010 10:27 AM
sequoyatech wrote:
Ah - in actuality, I don't have to for the 192.168.17.0/24 network. It could use global 1.
edit - just saw your edit. Can you elaborate? As I said before, I appreciate everyone's patience. I'm doing my damndest to learn this stuff!
Actually i think we have all missed a trick here. Your original post said you wanted to route the traffic from the 2 vlans to different interfaces on the ASA because you wanted to make sure the traffic got Natted properly.
But you don't need 2 interfaces on the ASA for that ie. lets say you just have one inside interface - blue, then your NAT statements would just be -
nat (blue) 1 192.168.16.0 255.255.255.0
nat (blue) 2 192.168.16.6 255.255.255.255
nat (blue) 3 192.168.17.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 200.1.1.2
global (outside) 3 200.1.1.3
So you definitely don't need PBR and you could if you wanted keep your existing NAT.
Or if you want to save a public IP just follow Raj's example.
Sometimes you just can't see the wood for the trees
Jon
01-26-2010 12:59 PM
I will test it out and let you know. Thanks!
01-26-2010 10:17 AM
Hi Nathan
as said before
route-map vlan20 permit 10
match ip address 1
set ip next-hop 192.168.17.2
access-list 1 permit 192.168.17.0 0.0.0.255
or you can put an extended access-list specifying tcp port/destinatione tc
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
Raj
01-27-2010 11:53 AM
Thanks to everyone for their help. I used jon.marshall's method and it worked fine. Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,
route inside 192.168.17.0 255.255.255.0 192.168.1.2
where 192.168.1.2 is the routed port on the 3560.
01-27-2010 12:00 PM
Yes Nathan
You are right .. this is because 192.168.17.0 is no more a directly connected network, as it was before, and goes through the routed port to the BLUE network.. Any more VLANs you would add here, would need similar routing configuration.. but as said before, you might want to reconsider yourself having a seperate broadcast domain of /30 for your connection between the Switch and firewall.. just to isolate the firewall from local broadcasts and a very good design for future development
Internet router
| outside (security level 0)
Firewall ----------- > NAT for internal networks and a route back to L3 switch..
| inside (security level 100)
Layer 3 switch
| various VLAN SVI's
PC's
Raj
01-27-2010 12:36 PM
Raj, if I'm understanding your post correctly, my solution implements that.
01-27-2010 12:50 PM
sequoyatech wrote:
Raj, if I'm understanding your post correctly, my solution implements that.
Nathan
Based on your last post to me you have indeed implemented this solution. Glad you got it all working.
Jon
01-27-2010 12:52 PM
Ahh... You are right.. Didnt notice the next hop interface IP address of your route for 192.168.17.x (192.168.1.x) which is a dedicated layer 3 interface.... I was thinking that you had used the same vlan 10 interface (192.168.16.1, 192.168.16.2) interfaces to route the VLAN 20 traffic... it looks good now...
Thanks & Regards
Raj
01-27-2010 12:03 PM
sequoyatech wrote:
Thanks to everyone for their help. I used jon.marshall's method and it worked fine. Helpful hint for anyone trying to solve the same problem - I did have to add a static route to the ASA for each network on the 3560 - for example,
route inside 192.168.17.0 255.255.255.0 192.168.1.2
where 192.168.1.2 is the routed port on the 3560.
Nathan
Many thanks for getting back and letting us know.
So did you use just one public IP for both 192.168.16.x and 192.168.17.x addresses ?
And by the sounds of it you used just one link between the ASA and the switch ?
Just wanted to confirm for others who may read the post because i think it was a combination of Raj's suggestion (+5 Raj) and mine that was the final solution.
Jon
01-27-2010 12:35 PM
Regarding NAT, I have it set so that 192.168.16.x and 17.x both use the same public, while 192.168.16.6 uses a second public. There shouldn't be any issues if I were to want to assign 17.x its own public IP though. To answer your second question, yes, I now have a single link - the inside interface of the ASA is 192.168.1.1, the routed port of the 3560 is 192.168.1.2. The 192.168.1.x network does not exist anywhere other than on those two interfaces.
01-27-2010 12:53 PM
Jon.. thanks a ton for your comments, and the points... this is the best 5 pointer i have ever taken
Thanks again
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide