Static NAT to Inside VLAN

[Devry84]

I am attempting to setup external access to a vlan. I am using a Sonicwall firewall and a Cisco 3750 switch. The switch is controlling the VLAN's.

I have the firewall setup and I had Sonicwall support verify the configuration.

When connected to the VLAN I can connect to the internet and see devices on other VLAN's.

I am unable to connect when I target the outside address.

I am setup on the sonicwall to use the VLAN gateway address to be able to see the inside server.

Do I need an access-list or anything else on the switch in order to allow the traffic to connect?

 

[burtsbees]

Not in the 3750 you don't...post a sh run from the 3750

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[Devry84]

Here is the sho run from the 3750
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname
!
enable secret 5
!
username
no aaa new-model
clock timezone central 5
clock summer-time CST recurring
switch 2 provision ws-c3750-48p
ip subnet-zero
ip routing
ip domain-name DDCI
ip name-server 199.34.66.36
ip name-server 199.34.64.35
!
ip dhcp pool vlan20
network 192.168.67.0 255.255.255.0
default-router 192.168.67.1
lease 7
!
ip dhcp pool vlan30
network 192.168.80.0 255.255.255.0
default-router 192.168.80.2
lease 7
!
!
!
crypto pki trustpoint TP-self-signed-218851712
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-218851712
revocation-check none
rsakeypair TP-self-signed-218851712
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet2/0/1
description UPLINK to COLOFW
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet2/0/2
description
switchport mode access
spanning-tree portfast
!
interface FastEthernet2/0/3
description
switchport mode access
spanning-tree portfast
!
interface FastEthernet2/0/4
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet2/0/5
!
interface FastEthernet2/0/6
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
switchport access vlan 20
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
!
interface FastEthernet2/0/25
!
interface FastEthernet2/0/26
!
interface FastEthernet2/0/27
!
interface FastEthernet2/0/28
!
interface FastEthernet2/0/29
!
interface FastEthernet2/0/30
!
interface FastEthernet2/0/31
!
interface FastEthernet2/0/32
!
interface FastEthernet2/0/33
!
interface FastEthernet2/0/34
!
interface FastEthernet2/0/35
!
interface FastEthernet2/0/36
!
interface FastEthernet2/0/37
!
interface FastEthernet2/0/38
!
interface FastEthernet2/0/39
!
interface FastEthernet2/0/40
!
interface FastEthernet2/0/41
!
interface FastEthernet2/0/42
!
interface FastEthernet2/0/43
!
interface FastEthernet2/0/44
!
interface FastEthernet2/0/45
!
interface FastEthernet2/0/46
!
interface FastEthernet2/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet2/0/48
description UPLINK to Sonicwall
switchport mode access
duplex full
spanning-tree portfast
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
ip address 192.168.65.2 255.255.255.0
no ip route-cache cef
no ip route-cache
!
interface Vlan20
ip address 192.168.67.1 255.255.255.0
!
interface Vlan30
ip address 192.168.80.2 255.255.255.0
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.65.3
ip http server
ip http authentication local
ip http secure-server
!
!
control-plane
!
banner

 

[VinceWhirlwind]

Does the Sonicwall have routes configured for each of the inside subnets:
ip address 192.168.67.0 255.255.255.0
ip address 192.168.80.0 255.255.255.0
pointing at 192.168.65.2?

 

[Devry84]

Since I am only concerned with access to 192.168.67.0 I had only created a route for that network. Originally I pointed it to 192.168.65.2 but I was not able to connect so I changed it to the default router address of VLAN 20 which is 192.168.67.1.

 

[burtsbees]

Not quite understanding...do you have something on your inside that you need to access fro the outside, or vice-versa?

If from out to in, then static PAT; if from in to out, then...NAT/PAT

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[Viconsul]

Hi

You need to add the following route on the sonicwall fw
ip route 192.168.67.0 255.255.255.0 192.168.65.2
ip route 192.168.80.0 255.255.255.0 192.168.65.2
Also, you need to ensure that nat is setup correctly on the sonicwall fw

Another solution would be to use routed port on interface FastEthernet2/0/48,
that way your default route can point to interface FastEthernet2/0/48

HTH
-viconsul