ArubaOS and Controllers

Reply
Occasional Contributor II

Remote AP providing NAT - possible?

Hi all,

I've got a remote AP configured to broadcast 2 SSIDs which we are testing users taking home. 1 SSID tunnels back to the controller and the other SSID is bridged to the local network. This bridged connection works fine as long as there is a home router to issue internal IP addresses and NAT onto the ADSL line.

We are at a situation where a particular user does not have a home router - only a cable modem which can issue a single (public) IP address. If the Remote AP is connected to this it gets the public IP address and the tunneled SSID works fine, however a client on the bridged SSID cannot get an IP address as the cable modem will only issue 1.

Is there a way to configure the system so if the client connects to the bridged SSID, they are allocated a private IP address from the AP and the AP then does NAT locally? I would like to avoid linking this to any VLANs on the controller.

It looks like split-tunnel might sort of do what I want and to begin with I've tried following the guide starting on page 187 of the user guide.

So far I've created an Access Control Policy, allowed any to any for svc-dhcp. Then I allowed user to any with src-nat. I created the associated user role and applied this role to the AAA profile. I've created a Virtual AP using this AAA profile, as split-tunnel and I've given it a VLAN which exists on the controller, and for which the controller is issueing DHCP addresses for (although ideally I would like to avoid having to use a VLAN within the controller).

If my client connects, I am allocated an IP address from the pool, and I can ping the controller's address in this pool however I cannot ping the default router for the network the RAP is connected to.

Any ideas for what I've missed?
Aruba Employee

Re: Remote AP providing NAT - possible?

Jeff,

This is possible. Under the AP System Profile for the AP Group you are using, setup the "Remote-AP DHCP" parameters. If you create an SSID that is in "Always" up mode, set it brigde mode and then set the inital role in the AAA profile to a role that src-nat's all traffic, everything should work as you expect. The RAP will get a single public IP on the E0 interface and will serve DHCP to clients (using what ever VLAN and subnet info you gave it in the AP System Profile). When clients connect to the always up SSID (which can only be PSK or Open AFAIK), the RAP will src-nat all packets from the public IP.
Occasional Contributor II

Re: Remote AP providing NAT - possible?

Thanks for your suggestion.

I've followed your advise, and now my client is getting an IP address from the range specified in the System Profile. However I am unable to ping anything (including that the AP is sending as the default route).

Any ideas?

cheers,
-Jeff
Aruba Employee

Re: Remote AP providing NAT - possible?

What is the initial role is assigned to the AAA policy for the SSID? Since the SSID is open, all clients that associate will go into that role. Make sure it's similar to:

any any svc-dhcp permit
any any any src-nat permit

Also, make sure the VLAN in your Virtual AP matches the VLAN you specified in the AP System Profile RAP-DHCP parameters.
Aruba Employee

Re: Remote AP providing NAT - possible?

Sorry, that ACL should be:

any any svc-dhcp permit
any any any route src-nat permit
Occasional Contributor II

Re: Remote AP providing NAT - possible?

The initial role is 'home-NAT'.

The policy is set to:
any any svc-dhcp permit
any any any src-nat

There is no NAT pool set for src-nat.

the Virtual-AP VLAN is 2110 and so is the System Profile Remote-AP DHCP Server VLAN. This is the same VLAN which exists on the controller and the controller is configured to issue a DHCP address for. The IP address the client received is from the pool specified in the System Profile.

Cheers,
-Jeff
Occasional Contributor II

Re: Remote AP providing NAT - possible?

Updated ACL to "any any any route src-nat permit"

Should I be able to ping the default gateway issues by the AP DHCP server (192.168.11.1) ? This is currently failing.

-Jeff
Aruba Employee

Re: Remote AP providing NAT - possible?

Not unelss you add an ACL before the "route" line that allows ICMP. You should be able to resolve DNS and ping routable addresses on the Internet with what you have, but if you want to ping the RAP, the ACL would be:

any any svc-dhcp permit
any any svc-icmp permit
any any any route src-nat
Occasional Contributor II

Re: Remote AP providing NAT - possible?

I'm not bothered to be able to ping the AP itself, as long as the rest of the internet was working - however it wasn't. I've added svc-icmp however I'm still unable to ping the AP.
Aruba Employee

Re: Remote AP providing NAT - possible?

Can you post your config?
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: