Controller Based WLANs

Does ArubaOS support many-to-many src NAT?

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

 

There is some confusion when the user trying to configure a range of IP address for a NAT pool. The user always notices that all users are sharing only the first IP address in the NAT pool and wonders when and how to use the rest of the public IPs.

 

In the current ArubaOS implementation, all TCP and UDP communications are src-nat only with the first IP address of the NAT pool. Only the IP packets that are not TCP nor UDP, such as ESP and GRE, are NATed to the other IP address.

 

Now the question is how can the customer configure many-to-many src-nat for a large pool of private IP addresses? The simple answer is to use multiple single-address NAT pools and set up different user roles to apply the firewall policies among the entire wireless user population.

 

This example distributes clients to three NAT pools based on the last digit of the user-name:

 

ip nat pool public-1 210.3.2.1 210.3.2.1

ip nat pool public-2 210.3.2.1 210.3.2.2

ip nat pool public-3 210.3.2.1 210.3.2.3

 

ip access-list session dhcp-acl

 any any svc-dhcp permit

!

 

ip access-list session cplogout

 user alias mswitch svc-https dst-nat

!

 

ip access-list session src-nat-1-acl

 user any any src-nat pool public-1

!

 

ip access-list session src-nat-2-acl

 user any any src-nat pool public-2

!

 

ip access-list session src-nat-3-acl

 user any any src-nat pool public-3

!

 

user-role authd-user-public1-role

 session-acl dhcp-acl

 session-acl cplogout

 session-acl src-nat-1-acl

!

 

user-role authd-user-public2-role

 session-acl dhcp-acl

 session-acl cplogout

 session-acl src-nat-3-acl

!

 

user-role authd-user-public3-role

 session-acl dhcp-acl

 session-acl cplogout

 session-acl src-nat-3-acl

!

 

aaa server-group cp-auth-captiveportal

 set role condition User-Name ends-with 1 set-value authd-user-public1-role

 set role condition User-Name ends-with 2 set-value authd-user-public2-role

 set role condition User-Name ends-with 3 set-value authd-user-public3-role

!

Version History
Revision #:
1 of 1
Last update:
‎06-30-2014 06:27 PM
Updated by:
 
Labels (1)
Contributors
Comments
flahammerhead

I am using NAT with an inside DHCP pool that allows 1,000+ addresses (handed out with Windows 2008R2 server) NAT to the outside interface on the controller.  We have a legacy 5000 controller with 256MB of memory.  It seems when we hit around 550-600 connections, incremental users no longer receive an IP address.  Users simply receive an internal 169.x.x.x address and can't go anywhere.  If I reset the controller, eventually the same thing repeats.  I can plug a W/S on the VLAN in question and get an IP no problem.

 

Am I reaching the capacity of this controller?   We typically can see 700-800 connections so about 1/4 of the users are hosed. We are planning on upgrading later this year but in the interim, I would make a lot of people happier if I could resolve this issue.

baro

Any upgrade to this limit of Aruba's many2many SNAT? any version of Aruba OS out there implementing a real many2many SNAT (aka -in my opinion- Linux's iptables one) ?

Thank you very much

Andrea Barontini

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.