Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Clients IP address to show pass the Controller

This thread has been viewed 1 times

  • 1.  Clients IP address to show pass the Controller

    Posted Oct 08, 2015 10:19 PM

    Hi all,

     

    I put the controller behind my Cisco ASA.

    The controller is setup as the DHCP server and the gateway for the wifi clients. I use the Cisco ASA as the gateway for the controller.

    The problem that I'm currently having is that when I review the traffic on the Cisco ASA, I'm only seeing one traffic and it came from one IP address (the controller) instead of from all the 50 clients that's currently connected to the controller.

    Is there a setting on the controller that I need to set to make the client's IP address being forwarded or translated to the Cisco ASA?

     

    Do I need to uncheck "Enable source NAT for this VLAN" from the Client's VLAN IP configuration?

    Or is it the firewall acl or role blocking this?

    We have PEFS license on all of our APs.

     

    Any help would be appreciated.

    Thank you all. 

     

     



  • 2.  RE: Clients IP address to show pass the Controller

    EMPLOYEE
    Posted Oct 08, 2015 10:22 PM
    Yes. If another device is performing nat translation upstream, you should disable nat on the controller interface. 


  • 3.  RE: Clients IP address to show pass the Controller

    Posted Oct 08, 2015 10:32 PM

    Thanks Tim.

     

    I just unchecked the box "Enable source NAT for this VLAN" and I lost the connection.

    Is there anything else on the controller that I need to check or that should be it and try to troubleshoot with the NAT configuration on the Cisco?

     

    Much appreciated again.

     

    Thank you.



  • 4.  RE: Clients IP address to show pass the Controller

    EMPLOYEE
    Posted Oct 08, 2015 11:58 PM

    Does your ASA have a route back to your controller?



  • 5.  RE: Clients IP address to show pass the Controller

    Posted Oct 09, 2015 08:19 PM

    Do you mind sharing why would I need to have a route back to the controller from the ASA?

    I thought the route should be:

    Wifi Clients -> Controller -> ASA -> Internet

    ?

     

    It seems like the controller is acting as a FW also so it is blocking everything (broadcast packet, etc.) outgoing from it because I did a packet tracer on the ASA (with Cisco support help) and was not able to see any packet hitting the ASA even though my ipad is connected to the wifi and able to get to the internet.

    I did disable the NAT on the controller and enable it on the ASA but since we're not seeing any packet hitting the ASA, then the NAT is useless.

    So I had to reenable it again on the controller or the users won't be able to get to the internet.

     

    Any other ideas that I should try?

    Maybe I need to change the controller functionality to not become a firewall and just function as a controller and let the AP doing the FW for the clients.

    Do you know if there's a KB or blog for it?

     

    Thank you.



  • 6.  RE: Clients IP address to show pass the Controller

    Posted Oct 18, 2015 01:41 PM

    if you do can work with NAT enabled but you don't see the traffic hit the ASA then it either goes via another path or you are looking for the wrong traffic.

     

    please provide a good network diagram of your setup and we might be able to help out.