Wireless Access

Reply
Contributor II

Guest Users going out Firewall with Controller IP

My guests are on VLAN 115.  Their devices get the correct IP address.  However when they hit the firewall they have the IP address of the Aruba Controller.  Need help troubleshooting.  If I can find out what the issue is I can fix it.  Anybody?

Frequent Contributor I

Re: Guest Users going out Firewall with Controller IP

sounds like you are using the ip interface of vlan 115 as the default gateway for the guests, and, "ip nat inside" is enabled on that vlan 115 interface.

Contributor II

Re: Guest Users going out Firewall with Controller IP

I am, dugem2016.  I understand that is how guest outbound IPs are showing up as the contoller.  Is there a better method so I can see indivuidual Guest IPs?

Frequent Contributor I

Re: Guest Users going out Firewall with Controller IP

hi MemphisBrothers,  there isn't really any other easy way once the nat is in place.

 

Are you trying to actually see the traffic, or is it for audit purposes or just for debug purposes ?

 

For audit, you could maybe look at doing something like open ssid radius accounting to try and capture the framed-ip of the user.

 

Another option, but it's not so nice to the controller, is that you put a logging rule on the access-list and collect the syslog of the controller somewhere (not the most scalable solution though, and I wouldn't recommend it for that reason)

 

Finally, if you're just trying to debug, you can use "show datapath session table | include <thing>" to find the NAT flows. At the risk of showing you something you already know, here is how that would look for a natted ping from client 192.168.5.1 to 192.168.1.254 which goes through nat-inside on 192.168.1.162. The ip1,ip2 syntax is just to pick up both sides of the conversation (no space around the comma). 

 

(zzzz) #show datapath session table | include 192.168.5.1,192.168.1.254

192.168.1.254   192.168.1.162   1    34807 0      0/0     0    0   0   tunnel 18   6    1          60         FNI
192.168.5.1     192.168.1.254   1    34807 2048   0/0     0    0   0   tunnel 18   6    1          60         FSCI

the "C" in the last row indicates the initiator, in this case I know that to be the client.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: