Wireless Access

Reply
Occasional Contributor II

Clients IP address to show pass the Controller

Hi all,

 

I put the controller behind my Cisco ASA.

The controller is setup as the DHCP server and the gateway for the wifi clients. I use the Cisco ASA as the gateway for the controller.

The problem that I'm currently having is that when I review the traffic on the Cisco ASA, I'm only seeing one traffic and it came from one IP address (the controller) instead of from all the 50 clients that's currently connected to the controller.

Is there a setting on the controller that I need to set to make the client's IP address being forwarded or translated to the Cisco ASA?

 

Do I need to uncheck "Enable source NAT for this VLAN" from the Client's VLAN IP configuration?

Or is it the firewall acl or role blocking this?

We have PEFS license on all of our APs.

 

Any help would be appreciated.

Thank you all. 

 

 

Guru Elite

Re: Clients IP address to show pass the Controller

Yes. If another device is performing nat translation upstream, you should disable nat on the controller interface. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clients IP address to show pass the Controller

Thanks Tim.

 

I just unchecked the box "Enable source NAT for this VLAN" and I lost the connection.

Is there anything else on the controller that I need to check or that should be it and try to troubleshoot with the NAT configuration on the Cisco?

 

Much appreciated again.

 

Thank you.

Guru Elite

Re: Clients IP address to show pass the Controller

Does your ASA have a route back to your controller?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clients IP address to show pass the Controller

Do you mind sharing why would I need to have a route back to the controller from the ASA?

I thought the route should be:

Wifi Clients -> Controller -> ASA -> Internet

?

 

It seems like the controller is acting as a FW also so it is blocking everything (broadcast packet, etc.) outgoing from it because I did a packet tracer on the ASA (with Cisco support help) and was not able to see any packet hitting the ASA even though my ipad is connected to the wifi and able to get to the internet.

I did disable the NAT on the controller and enable it on the ASA but since we're not seeing any packet hitting the ASA, then the NAT is useless.

So I had to reenable it again on the controller or the users won't be able to get to the internet.

 

Any other ideas that I should try?

Maybe I need to change the controller functionality to not become a firewall and just function as a controller and let the AP doing the FW for the clients.

Do you know if there's a KB or blog for it?

 

Thank you.

Re: Clients IP address to show pass the Controller

if you do can work with NAT enabled but you don't see the traffic hit the ASA then it either goes via another path or you are looking for the wrong traffic.

 

please provide a good network diagram of your setup and we might be able to help out.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: