Aruba Instant & Cloud Wi-Fi

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

src and dst nat on 105 instant

Is there a way to source nat the traffic on the Instant devices.

Use case -

I would like to hide the guest traffic behind the IAP address and force all traffic to a proxy server. The access rules allow you to dest nat the traffic however a wireshark trace of the traffic shows that the source address is from the client.

 

Any way to source all the traffic from a single address? I am using the latest firmware.

Matt

Aruba
Posts: 1,284
Registered: ‎08-29-2007

Re: src and dst nat on 105 instant

You'll need to make the vlan 'virtual controller assigned' and then it will be natted behind the IAP address.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: src and dst nat on 105 instant

This can only be done by making choosing the option to make the IP network assigned - would this mean running a dhcp server on the network for the guest clients?

Aruba
Posts: 1,284
Registered: ‎08-29-2007

Re: src and dst nat on 105 instant

'Virtual controller assigned' is what you need.  This will then use the internal dhcp on the virtual controller and then nat behind

 

VC nat.jpg

 

Network assigned and default means the clients get an ip from the same subnet as the IAP.

Network assigned and static means the clients end up on that vlan and there needs to be a dhcp somewhere obviously.

Not used the dynamic before, so not exactly sure what that does.

 

Hope that helps.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: src and dst nat on 105 instant

This was the original configuration, however it was not working. Any ideas?

Aruba
Posts: 1,284
Registered: ‎08-29-2007

Re: src and dst nat on 105 instant

My colleague actually has seen this.

 

It seemed to happen if  the access rule contained the 'any any allow except to network' statement.  Seemingly broke the NATing.

 

Try to change the rule to be 'any internal_net deny' and then a 'any any permit' after.

 

But maybe that issue is fixed in later releases anyway.

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: src and dst nat on 105 instant

As these will be deployed at various site with different internal network ranges, I would like to keep the configuration simple and just use the AP IP address as the source of the traffic. Is there a way of doing this?

 

Matt

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: src and dst nat on 105 instant

The src-dst works until i add in the dst-nat at which point the src-nat stops working. Does anybody know of a workaround for this issue?

Aruba
Posts: 1,284
Registered: ‎08-29-2007

Re: src and dst nat on 105 instant

Interesting.  That sounds like a bug.  Make sure you raise it with TAC.

 

What version are you using?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: src and dst nat on 105 instant

We are using version "ArubaInstant_Orion_6.2.1.0-3.3.0.1_38408".

 

Here is the output from the config -

 rule any any match icmp any any permit
 rule any any match udp 53 53 permit
 rule any any match udp 67 68 permit
 rule any any match tcp 80 80 dst-nat ip 17.18.19.20

 

As soon as the last rule is introduced the source NAT stops being performed and the traffic appears on the wired side sourced from the Client IP address.

Search Airheads
Showing results for 
Search instead for 
Did you mean: