ArubaOS and Controllers

Reply
New Contributor
Posts: 2
Registered: ‎12-07-2010

RAP unable to split tunnel properly

Hi All,

I am having a problem with RAP in a split tunnel setup. RAP is connected to remote branch (192.168.1.0) and is able to connect successfully to the right profile and role. I have 3 requirements.

1) User at remote branch is able to get IP from branch’s DHCP server (done! Using 1st rule)
2) User is able to surf internet using branch’s internet access (done! Using last rule)
3) User is able to tunnel back to HQ via RAP (unable to Src-NAT properly) I am unable to ping any HQ ip address.

I have tried to use svc-icmp and src-nat with IP Pool but is unable to ping to HQ. What is the requirement for NAT to happen to go into the HQ since HQ do not have a route to my branch in the core switch?

ip access-list session Splittunnel
any any svc-dhcp route src-nat ---> get local dhcp
any network 192.168.1.0 255.255.255.0 any route src-nat -->access remote branch servers
any network 192.168.100.0 255.255.0.0 any permit--->Access HQ, but this rule doesn't seem to NAT to controller interface IP thus unroutable.
any any any route src-nat ---->access internet


Been on this problem a few days. need some urgent help
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: RAP unable to split tunnel properly

"any network 192.168.100.0 255.255.0.0 any permit--->Access HQ, but this rule doesn't seem to NAT to controller interface IP thus unroutable."

You show your mask as a /16, is this supposed to be a /24?

Also, that rule won't NAT to the controller interface IP, that rule just says to push all traffic bound to 192.168.0.0 (the way it's currently shown) down the tunnel to the controller and route from there.

There's probably a way to NAT this on the controller, but the way I've done my RAP designs (for full tunnel or split-tunnel) is to give the clients connected the RAP an IP address from within the VLAN that assigned to the RAP's VAP or wired port. The DHCP server in that case is on the controller (Corporate) side of the network and the VLAN is defined on the network. Then use static routes or OSPF to ensure the Corporate side of the network knows to use the controller to get to that VLAN.

For example, all your branch LANs could be 192.168.1.0/24, but your RAP VAPs and wired ports could be in VLAN 10, which is defined on the controller and in subnet 10.1.1.0/24. Use a corporate DHCP server to give out addresses for that network and use an IP helper on the controller VLAN. All clients on the RAP get an address in 10.1.1.0/24. Put a static on the next-hop inside your Corporate network pointing to the controller or use OSPF to get 10.1.1.0/24 in your Corporate network. Change your policy to read:

ip access-list session Splittunnel
any any svc-dhcp permit (DHCP from Corporate side)
any network 192.168.100.0 255.255.255.0 any permit (access Corporate network)
any any any route src-nat (bridge everything else and src-nat to RAP WAN port)

Hope that helps.
New Contributor
Posts: 2
Registered: ‎12-07-2010

Thanks

Hi Mike,

Thanks for the advise, yes there was a typo there, it is 192.168.0.0/16.

I have this question in my mind that i cannot get any answers, is it possible or not possible, that Aruba cannot NAT an address that it does not know? Example is the 192.168.1.0/24 address at the branch.
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: RAP unable to split tunnel properly

It can NAT any address.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: