Wireless Access

Reply
Occasional Contributor II
Posts: 21
Registered: ‎05-01-2015

1 to 1 NAT based off port

I know there are a lot of posts out there on 1 to 1 NAT.  But I am looking for something a little different.  I have an ESX server with multiple NICs, one NIC is used for a DMZ.  I want to make the following configuration, and I am a little stuck

 

Internet IP:Internet Port-->Internal IP:Internal Port

50.0.10.10:443-->10.10.12.10:443

50.0.10.10:2326-->10.10.12.11:2326

50.0.10.11:50000-59999-->10.10.12.12:50000-59999


Can this been done?  If so, I need some guidance.  Preferably with the GUI...

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 1 to 1 NAT based off port

You want to use the dst-NAT action if you have a controller facing the public internet...see this.  This is from the Access Control ---> Policies portion of the Configuration on an Aruba Controller.

 

Screen Shot 2015-10-28 at 8.51.04 PM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 21
Registered: ‎05-01-2015

Re: 1 to 1 NAT based off port

Cool! But where do I put the public IP address. For example I have 1 physical connection with four ip addresses. I.e. Fe 1/6 is connected to a dsl modem and it has four ip address and each address may server multiple ports or a single
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 1 to 1 NAT based off port

You can create an alias with all those addresses if you wish it just specify one IP address. To create an alias from Configuration click on stateful firewall and then click destinations across the top.
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 21
Registered: ‎05-01-2015

Re: 1 to 1 NAT based off port

[ Edited ]

So here is what I have, but it is not working, and it may just be a configuration on the DSL modem, but does the config look right?  Then this made me realize what about making the outbound IP address the same as what it came in on.  I.E. if I use whatsmyip.com have it show the mapped IP address?  that is because I have a second cable modem hooked to it as well, that is set for the defualt gateway

 

I have configured esx for the correct vlan, I can get to port 80 and 443 internally fine to 10.10.13.10.

2015-10-28_19-47-44.png

 

 

 

 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 1 to 1 NAT based off port

In order for this to work, the 50.x addresses must live on the controller. The controller is connected directly to the dsl modem
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 21
Registered: ‎05-01-2015

Re: 1 to 1 NAT based off port

by live on the controller, you mean assign the 50.x ip address to a vlan? 

 

Here is the business case of what I am working on.  basically we have a small remote office, all wireless, but we need to put Skype for Business out there.  So I have 4 IP addresses.  3 for the edge, 1 for our SIP trunk that will also be used for the reverse proxy.  I am using this to learn more than the basic setup of a controller (WLANS, vlans, etc...).  All the services are virtualized.

Occasional Contributor II
Posts: 21
Registered: ‎05-01-2015

Re: 1 to 1 NAT based off port

Okay, making progress.  I have created a vlan, 1013, I gave the IP address 50.x to that vlan.  When I go to access that IP address from the outside world I get the management interface of the controller, which I would expect.  So at least I know I have the DSL part configured correctly.  So I just need to figure out what you mean by live on the controller.

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: 1 to 1 NAT based off port

OK...that's good...now just add that firewall policy with the dst-NAT actions from the previous post. Once you have the firewall policies configured...remember to allow everything you might need including DNS, ICMP, DHCP as well from any to any and then apply this policy to the Interface like so:

 

interface gigabitethernet 1/3

description "GE1/3"

trusted

trusted vlan 1-4094

ip access-group "public-interface" session vlan 666

switchport access vlan 666

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 21
Registered: ‎05-01-2015

Re: 1 to 1 NAT based off port

So here are the commands I ran.  FE 1/6 is the port that has the the DSL modem connected

interface fastethernet 1/6

trusted

trusted vlan 1-4094

ip access-group edgeav443 session vlan 1013

switchport access vlan 1013

 

show vlan 1013

VLAN   Description  Ports   AAA Profile
----   -----------  -----   -----------
1013   VLAN1013     FE1/6   N/AVLAN

 

show ip internface brief

vlan 1013                   50.x.x.40 / 255.255.255.0     up      up

 

and here is the policies, I couldn't find the right command line to show it

2015-10-29_13-16-11.png

But still when I go the 50.x IP address I get the controller interface, not the server on the VM.

 

 

 

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: