Wireless Access

Hello,

I was recently in need of source nat ability of Aruba Controller. So when I started to looking into documents I found the configs. I applied the exactly same configuration instructed in the documents. Then I tested but it failed. Or I thought it failed. 

The controller(7240) is in a remote site and I didn't have chance to check it from the interface with some application like Wireshark. So I decided to test it with my test controller(3200).

I did the same configuration and at first I thought it failed.

But the tricky thing is that in both tests I tried pinging using source as the vlan ip of my controller as the ip that should be source natted. But when I test it with a client which has an ip from the vlan that should be source natted, successfully done.

And I found out many people is opened posts with same problem before. So when you test it don't try it with controller ip. Because it is not being source natted. It may be something about a bug or by desing.

For your info.

Have a nice day. 

Think that this is the normal behaviour of NAT.

Scenario:

Firewall:

VLAN1:192.168.240.1/24

Controller:

VLAN1: 192.168.240.2/24

VLAN3333: 172.16.31.1/24 (ip nat inside)

0.0.0.0/0    192.168.240.1

If you are trying to start an ICMP Request from the controller (source: vlan 3333, dest: firewall vlan 1) it won't be natted, because it is not from inside vlan 3333. A user who is doing an ICMP-Request inside of vlan 3333 will have success. The Controller NAT the traffic from a USER to his own controller ip address for the next hop (based on routing table). I think he doesn't NAT from controller ip to controller ip. I can't imagine a scenario where you have to do something like that.

Traffic Flow of a user:

PING: 192.168.240.1

172.16.31.240 --> 192.168.240.2 (SNAT) --> 192.168.240.1 --> 192.168.240.2 --> 172.16.31.240

Correct me if someone understand the NAT process in a different way.

Regards,

Thomas