• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 14520
  • Last Modified:

NAT on the Cisco 3750 / 3560 L3 switches

Could you kindly help me with the following questions:

1) Is there any flavour of the Cisco IOS on the 3750 or 3560 L3 switches that can do NAT ?

2) We are planning to replace an existing Linux machine running a huge number of iptables NAT rules and static routes with a suitable Cisco device (preferably a Layer3 switch).Is this a good idea ? Is this even feasible ? If not, what are the other options    
available ?

Please advise.

Cheers
-Jai
0
jaisimha_4474
Asked:
jaisimha_4474
  • 2
  • 2
  • 2
2 Solutions
 
giltjrCommented:
I would call Cicso or a trusted reseller in your area.  I don't beleive that either of these support NAT.  In fact I don't think that Cicso has NAT in any of their layer 3 switches.  The "exception" is the Cat 6500, with a firewall module in it, it (really the firewall module) can do NAT.

Now, I would assume that you are really using the Linux machine as a router/firewall and not a "layer 3 switch.  Yes a layer 3 switch is like a router, but it is not.  I would also assume that you don't 24 or 48 Ethernet NIC is it.

So, I would look at how many ports you really need and then look at some Cicso routers that do support NAT.
0
 
lrmooreCommented:
I have not yet seen any Cisco Layer 3 switches that will perform NAT.
Your best bet would be a ASA5000 firewall. How many routed interfaces do you need?
0
 
jaisimha_4474Author Commented:
Thanks to both giltjr and lrmoore for the comments and advise.

I am now looking at a suitable version of the 6500 and also the Cisco 3845 ISR security router.

Looks like both of them can do NAT and PAT to large extent and also have enough interfaces for our rquirements.

But the main question I have is - can they do NAT /PAT like iptables ? How will the performance be for something like 150 to 200 NAT static NAT rules ?

For example - can the cisco IOS do NAT like this - as in Linux IPtables:

1) DNAT with port translation (including a non- standard port)

iptables -t nat -A PREROUTING -d 75.200.215.6 -p tcp -i eth2 --dport 2506 -j DNAT --to 10.10.10.65:2508

2) SNAT (with source and destination specified)

iptables -t nat -A POSTROUTING -p tcp -o eth2 -s 10.10.12.201 -d 172.16.1.20 -j SNAT --to 192.168.100.1

3) Plain SNAT

iptables -t nat -A POSTROUTING -p tcp -o eth2 -s 10.10.12.123 -j SNAT --to 192.168.1.6

Any inputs will be greatly appreciated.

Thanks
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
lrmooreCommented:
The 6500, as big a beast as it is will not do NAT without a firewall blade in it.

How many separate interfaces do you need? ASA5500 series come with 2x 10/100/1000 and 3x 10/100, and yes, you can do just about anything you need with ip nat commands. ASA/PIX does it very differently than router IOS.
I would strongly recommend ASA over a 3845 router unless you need the WAN interface capabilities of the router.
0
 
giltjrCommented:
True, the 6500 needs the firewall blade and IIRC the blade lists for $21,000.

The ASA5000 is a good choice, PIX is next.  Not sure if I would recommend a 3845 for this, unless as lrmoore stated you need WAN interfaces.
0
 
jaisimha_4474Author Commented:
Thanks for feedback and suggestions.I now some clarity on how to proceed.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now