jaisimha_4474
asked on
NAT on the Cisco 3750 / 3560 L3 switches
Could you kindly help me with the following questions:
1) Is there any flavour of the Cisco IOS on the 3750 or 3560 L3 switches that can do NAT ?
2) We are planning to replace an existing Linux machine running a huge number of iptables NAT rules and static routes with a suitable Cisco device (preferably a Layer3 switch).Is this a good idea ? Is this even feasible ? If not, what are the other options
available ?
Please advise.
Cheers
-Jai
1) Is there any flavour of the Cisco IOS on the 3750 or 3560 L3 switches that can do NAT ?
2) We are planning to replace an existing Linux machine running a huge number of iptables NAT rules and static routes with a suitable Cisco device (preferably a Layer3 switch).Is this a good idea ? Is this even feasible ? If not, what are the other options
available ?
Please advise.
Cheers
-Jai
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to both giltjr and lrmoore for the comments and advise.
I am now looking at a suitable version of the 6500 and also the Cisco 3845 ISR security router.
Looks like both of them can do NAT and PAT to large extent and also have enough interfaces for our rquirements.
But the main question I have is - can they do NAT /PAT like iptables ? How will the performance be for something like 150 to 200 NAT static NAT rules ?
For example - can the cisco IOS do NAT like this - as in Linux IPtables:
1) DNAT with port translation (including a non- standard port)
iptables -t nat -A PREROUTING -d 75.200.215.6 -p tcp -i eth2 --dport 2506 -j DNAT --to 10.10.10.65:2508
2) SNAT (with source and destination specified)
iptables -t nat -A POSTROUTING -p tcp -o eth2 -s 10.10.12.201 -d 172.16.1.20 -j SNAT --to 192.168.100.1
3) Plain SNAT
iptables -t nat -A POSTROUTING -p tcp -o eth2 -s 10.10.12.123 -j SNAT --to 192.168.1.6
Any inputs will be greatly appreciated.
Thanks
I am now looking at a suitable version of the 6500 and also the Cisco 3845 ISR security router.
Looks like both of them can do NAT and PAT to large extent and also have enough interfaces for our rquirements.
But the main question I have is - can they do NAT /PAT like iptables ? How will the performance be for something like 150 to 200 NAT static NAT rules ?
For example - can the cisco IOS do NAT like this - as in Linux IPtables:
1) DNAT with port translation (including a non- standard port)
iptables -t nat -A PREROUTING -d 75.200.215.6 -p tcp -i eth2 --dport 2506 -j DNAT --to 10.10.10.65:2508
2) SNAT (with source and destination specified)
iptables -t nat -A POSTROUTING -p tcp -o eth2 -s 10.10.12.201 -d 172.16.1.20 -j SNAT --to 192.168.100.1
3) Plain SNAT
iptables -t nat -A POSTROUTING -p tcp -o eth2 -s 10.10.12.123 -j SNAT --to 192.168.1.6
Any inputs will be greatly appreciated.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
True, the 6500 needs the firewall blade and IIRC the blade lists for $21,000.
The ASA5000 is a good choice, PIX is next. Not sure if I would recommend a 3845 for this, unless as lrmoore stated you need WAN interfaces.
The ASA5000 is a good choice, PIX is next. Not sure if I would recommend a 3845 for this, unless as lrmoore stated you need WAN interfaces.
ASKER
Thanks for feedback and suggestions.I now some clarity on how to proceed.
Your best bet would be a ASA5000 firewall. How many routed interfaces do you need?