NAT from internet to VLAN

I am working on an new configuration for my PIX/ASA firewall and need a little assistance.

I recently acquired a couple of Cisco 3750 layer three switches and am going to deploy them to turn up a couple of VLAN's.

One of my customers will need access to an inside host on one of the VLAN's.

I know how to create traditional NAT translations to allow access to inside resources. I am not real clear on the process to create the NAT statements to allow access to a VLAN other than the primary management VLAN currently defined.

What I was going to do was to set up a NAT statement and accompanying ACL that will allow the interesting traffic from customer to access new IP address in the new VLAN. Is there anything else that is needed to provide access in this scenario?

I have attached a network drawing of what I need to do.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Node Man

Hi Iceman,
I dont have an exact answer and am new to this. But if it helps: I believe that a VLAN is an ethernet/layer 2 protocol and NAT is a Layer 3/IP protocol. I think your scenario has more to do with VTP or VLan TRUNKING. Than just a vlan. That topic is totally new to me. I hope i have helped a little.

Node

TheNewITGuy

you can just route inside to the 3750 where the vlan is configured. use a static nat etc on the ASA and route it

ICEMAN84

I have applied my route statement to the interface and I can now get to the internet from VLAN 20. I also applied a static NAT statement permitting traffic from an outside IP to a VLAN address. No connectivity. nat statement is (static (colo,outside) [outside IP] [vlan IP] netmask 255.255.255.255).

xXErebuS

ICEMAN84 wrote: »

I have applied my route statement to the interface and I can now get to the internet from VLAN 20. I also applied a static NAT statement permitting traffic from an outside IP to a VLAN address. No connectivity. nat statement is (static (colo,outside) [outside IP] [vlan IP] netmask 255.255.255.255).

How are you permitting traffic in the ACL; if its PRE 8.3 you need to use NAT addresses; if its 8.3+ you need to use the inside(real) addresses. In addition make sure you have a route statement on the ASA for the "vlan ip".

Hopefully you won't need a IPSERVICES license on that 3750 they get quite expensive!

PS what is VLAN 20; I do not see it in your drawing.