Controllerless Networks

Reply

Configure IAP to not NAT requests

So I have a customer who is using a filtering system on the guest network to keep people from accessing inappropriate websites. They want to be able to use see exactly who attempts to do this in their firewall, but right now the IAP is sending the requests as itself.

 

We configured the VC to hand out IP addresses for the users and on their firewall, any request from 192.168.1.1/24 is given the gateway of the virtual controller. The virtual controller's gateway is the firewall/filter and is sending the request as itself. Is there a way to keep from NAT the request and send as the user instead? 

 

They currently have a 3200 controller we are replacing and they had the same issue, but don't remember how it was resolved. 

 

Any ideas here? They cannot change the way they are processing data as this is a school and I'm not sure how to resolve this. I considered having them filter any request from the VC address to fix that issue, but we have a 802.1x network as well and wanted to make sure it wouldn't break that either.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0

Re: Configure IAP to not NAT requests

With IAPs, when you use a guest type network with DHCP, the Virtual Controller will ALWAYS NAT the traffic using the VC address.  Your other option is to configure a VLAN with DHCP services off the switch or a DHCP server at this location.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
New Contributor

Re: Configure IAP to not NAT requests

Hi!
Is this info correct Seth?
I have run into a scenario where I want to hide clients behind the VC for simple routing but it seems to me that it always uses the IAP address for NAT.

Is there someone out there who can tell me what I am doing wrong? 😁

/Mister_245

Re: Configure IAP to not NAT requests

Seth is correct, so if you use the internal DHCP server of the IAP, it will always NAT the requests as the IAP itself. If you use a local DHCP server on the network somewhere else, and it will route the traffic normally and traffic will source from your client device instead.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
New Contributor

Re: Configure IAP to not NAT requests

Yes, but it will NAT behind the IP address of the IAP that is running the VC role, not the access point that the client is connected through, right?

CTO / Teknikchef

[cid:MailloggaB2Bteknik_241d1520-bd75-43e6-b65f-d6f8add7b024.png]

B2B IT-Partner AB
Svetsarvägen 8 BV / Box 1018, 171 21 Solna, Phone: +46 8 635 31 20 , Mob: +46 8 635 31 24 , Vxl: +46 8 635 31 00
E-mail: Peter.Schmidt@b2bitpartner.se, Internet: http://b2bitpartner.se
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: