Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

How to enable NAT logging to track communication strings back to their source 

Jul 03, 2014 10:46 PM

Nat on the user vlan
Nat on the role
Nat using a nat pool
Nat on the user vlan:
 
We won’t able to get or print the syslog message.
 
Nat on the role
 
If there is no nat pool, it use switch ip address by default. Attached is the sample config. Make sure we have enabled log on the acl user hits.
 
Nat using a nat pool
 
It uses the nat pool but we need to make sure the log is checked and user hit the acl
 
If we have both 1 & 3 in a combo, we won’t get the message as Vlan takes the precedence.
May 21 20:51:33 :124006:  <WARN> |authmgr|  {1} UDP srcip=20.1.1.2 srcport=137 dstip=20.1.1.255 dstport=137, action=src-nat, role=Nat, policy=Nat
May 21 20:51:33 :124006:  <WARN> |authmgr|  {2} UDP srcip=20.1.1.2 srcport=64181 dstip=224.0.0.252 dstport=5355, action=src-nat, role=Nat, policy=Nat
May 21 20:51:33 :124006:  <WARN> |authmgr|  {3} UDP srcip=20.1.1.2 srcport=51505 dstip=239.255.255.250 dstport=1900, action=src-nat, role=Nat, policy=Nat
May 21 20:51:33 :124006:  <WARN> |authmgr|  {4} TCP srcip=20.1.1.2 srcport=64418 dstip=10.1.10.10 dstport=389, action=src-nat, role=Nat, policy=Nat
May 21 20:51:33 :124006:  <WARN> |authmgr|  {5} UDP srcip=20.1.1.2 srcport=1900 dstip=239.255.255.250 dstport=1900, action=src-nat, role=Nat, policy=Nat
May 21 20:51:34 :124006:  <WARN> |authmgr|  {6} UDP srcip=20.1.1.2 srcport=58031 dstip=224.0.0.252 dstport=5355, action=src-nat, role=Nat, policy=Nat
May 21 20:51:36 :124006:  <WARN> |authmgr|  {7} UDP srcip=20.1.1.2 srcport=51509 dstip=224.0.0.252 dstport=5355, action=src-nat, role=Nat, policy=Nat
May 21 20:51:36 :124006:  <WARN> |authmgr|  {8} UDP srcip=20.1.1.2 srcport=5353 dstip=224.0.0.251 dstport=5353, action=src-nat, role=Nat, policy=Nat
May 21 20:51:36 :124006:  <WARN> |authmgr|  {9} proto=ipv6 srcip=20.1.1.2 dstip=192.88.99.1, action=src-nat, role=Nat, policy=Nat
May 21 20:51:36 :124006:  <WARN> |authmgr|  {10} UDP srcip=20.1.1.2 srcport=54904 dstip=224.0.0.252 dstport=5355, action=src-nat, role=Nat, policy=Nat
May 21 20:51:37 :124006:  <WARN> |authmgr|  {11} UDP srcip=20.1.1.2 srcport=52631 dstip=224.0.0.252 dstport=5355, action=src-nat, role=Nat, policy=Nat
May 21 20:51:37 :137004:  <WARN> |mdns|  RADIUS server cppm3--3.3.3.3-1812 timeout
May 21 20:51:50 :124006:  <WARN> |authmgr|  {12} UDP srcip=20.1.1.2 srcport=17500 dstip=20.1.1.255 dstport=17500, action=src-nat, role=Nat, policy=Nat
May 21 20:51:50 :137004:  <WARN> |mdns|  RADIUS server cppm3--3.3.3.3-1812 timeout
 
!
wlan ssid-profile "default"
   essid "Airdrop"
   opmode wpa2-psk-aes
   wpa-passphrase 7bb9df99bdfdde639d2222f235b7960a7b8307dc83e05a3b
!
 
 
!
wlan virtual-ap "default"
   aaa-profile "default-dot1x-psk"
   vlan 1000
!
!
ap-group "default"
   virtual-ap "default"
   regulatory-domain-profile "US"
!
!
 
interface vlan 1000
        ip address 20.1.1.1 255.255.255.0
        operstate up
     
!
 
!
aaa profile "default-dot1x-psk"
   initial-role "Nat"
   authentication-dot1x "default-psk"
!
 
!
user-role Nat
 access-list session Nat
!
 
show ip access-list Nat
 
ip access-list session Nat
Nat
---
Priority  Source  Destination  Service  Action   TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------   ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      src-nat             Yes           Low                                                           4
 

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.