ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 22
Registered: ‎09-23-2010

Dst Nat not working on controller to proxy

hi guys,

we are having issues with HTTPS on the controller, our Dnat rule that nats HTTP to 8080 works fine

however, when we create another rule to nat 443 to 8081 (8081 is listening on the controller) we get error interuppted session on the client internet explorer

We have requirements to dnat 80,8080 an 443 for guest web users (they use capitve portal)

any help would be great

thanks
Occasional Contributor II
Posts: 22
Registered: ‎09-23-2010

Re: Dst Nat not working on controller to proxy

When we remove the DNAT rule for the HTTPS traffic, and put the proxy IP into the clients browser, it works fine

This is obviously related to the DNAT of https

Any ideas guys?

Thanks
kris
Aruba
Posts: 760
Registered: ‎05-31-2007

Debugging DST-NAT

I would recommend that you view the firewall hits when the HTTPS sessions are being attempted from the client.

For a first step, you can do this using the WEBUI under Monitoring/Firewall Hits (refresh the counters to zero, then start some HTTPS from the client, check if there is evidence of the (proper) dst-nat rule being triggered at all)

Are you using the canned Dst-NAT rule for captive portal redirection or something you configured ? If the latter, can you paste in the policy for dst-nat ?

Tks!
Occasional Contributor II
Posts: 22
Registered: ‎09-23-2010

Re: Dst Nat not working on controller to proxy

Hi,

Not sure what you mean re 'canned dst-nat'

in any case, here is our policy

ip access-list session guest-web
any network 192.168.0.0 255.255.0.0 any deny log
any network 172.16.0.0 255.240.0.0 any deny log
any network 10.0.0.0 255.0.0.0 any deny log
user any svc-http dst-nat ip 163.8.85.68 8080
user any svc-https dst-nat ip 163.8.85.68 8081
user any svc-http-proxy2 dst-nat ip 163.8.85.68 8082
user any svc-dhcp permit
user any svc-icmp permit
user any svc-dns permit

So, we are dst natting any 80,443 or 8080 traffic towards our proxy using 8080,8081 and 8082

Regards
kris
Aruba
Posts: 760
Registered: ‎05-31-2007

Proxy

Thanks for the policy.

To clarify, what is 163.8.85.68? The controller or a seperate Proxy server that provides captive portal?

I ask as in the thread there is reference to the controller and also to a proxy...want to be sure if there are two boxes, or just one.

Tks!

!
user any svc-http dst-nat ip 163.8.85.68 8080
user any svc-https dst-nat ip 163.8.85.68 8081
user any svc-http-proxy2 dst-nat ip 163.8.85.68 8082
!
Occasional Contributor II
Posts: 22
Registered: ‎09-23-2010

Re: Dst Nat not working on controller to proxy

The 163.8.86.68 is a proxy... the captive portal is provided by the Controller itself.

We flick the internet requests off to the proxy, hence the dst nat rules

Cheers
kris
Occasional Contributor II
Posts: 22
Registered: ‎09-23-2010

Re: Dst Nat not working on controller to proxy

My internet policies are inside the guest-web, it dst nats to 8081 for HTTPS. Would that conflict with the captive portal policy which does the same thing but is required for HTTPS on capitve portal?

I am seeing hits on my 'guest-web' policy which dst nats my https
Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Re: Dst Nat not working on controller to proxy


hi guys,

we are having issues with HTTPS on the controller, our Dnat rule that nats HTTP to 8080 works fine

however, when we create another rule to nat 443 to 8081 (8081 is listening on the controller) we get error interuppted session on the client internet explorer

We have requirements to dnat 80,8080 an 443 for guest web users (they use capitve portal)

any help would be great

thanks




Is your proxy capable of transparently proxying SSL? Squid requires SSLBump to do this, and will prompt certificate warnings from most browsers as the proxy certificate will not match the remote site cert. I'm not sure what the IE specific error is in this case, as we just NAT most of our SSL traffic for this reason.
Search Airheads
Showing results for 
Search instead for 
Did you mean: