How to NAT and redirect of specific traffic using ACL on Aruba controller if Aruba controller is not the gateway for the client
Introduction :
As per the below topology we have clients associating to Vlan 2 and their gateway is Firewall. Also, the controller gateway is defined on the firewall. We have a server in Vlan-x which is only routable to controller interface IP. We would like to send specific traffic to the server. As the gateway for the clients is Firewall so IP NAT Inside cannot be used. Also, normal ACL to src-nat cannot be used as the traffic would be bridged to the gateway of the client which is firewall.
A practical implementation for this would be, if we have captive portal server as server ( in topology ) and client just have to communicate with the server on HTTP/HTTPS.
In order to achieve this we could configure the server as ESI server and use the NAT+Redirect option in the ACL
Environment : This article applies to AOS version 6.1 and above
Configuration Steps :
1. We can create an ESI server, where we could use the server IP as ESI server. For example I used 10.13.15.40 as server. As we have to route the traffic we need to use route mode
esi ping Aruba
frequency 30
timeout 1
retry-count 2
!
esi server Aruba
trusted-ip-addr 10.13.15.40
untrusted-ip-addr 10.13.15.40
mode route
!
esi group Aruba
ping Aruba
server Aruba
!
2. Once the ESI configuration are done we need to create a NAT POOL with start and end IP as the controller interface IP, which we would need as source IP for the traffic destined to the server.
(Aruba-2) #show ip nat pool
NAT Pools
---------
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----
dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0
internal 10.17.224.66 10.17.224.66 0.0.0.0
3. We could use below ACL to redirect and NAT the guest users traffic
user host 10.13.15.40 svc-https/http redirect esi-group Aruba direction forward src-nat pool internal
Answer :
As the gateway for the client is not controller, by design controller bridge the traffic. If we do not have route between the server on client's vlan, we would need to NAT+Redirect the traffic of the client to the server using one of the routable
interface on the controller. This could not be achieved by using only src-nat ACL. We have to configure the server as ESI server in route mode and use the acl to redirect and NAT specific traffic.
Verification : I have used RDP to demonstrate the TCP session
Client IP : 192.168.2.3
Server : 10.13.15.40
Client IP : 192.168.2.3
Server : 10.13.15.40
(Aruba-2) #show datapath session table 10.13.15.40
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- --------- --------- -----
192.168.2.3 10.13.15.40 6 52076 3389 0/0 0 0 0 local 1 4 191 SRC
10.13.15.40 10.17.224.66 6 3389 52076 0/0 0 0 0 local 1 3 151 N
We could see that the traffic is Natted and redirected to the server. Without ESI the traffic would be bridged to uplink switch or the client's gateway.
We could see that the traffic is Natted and redirected to the server. Without ESI the traffic would be bridged to uplink switch or the client's gateway.
