Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

How do I see NAT translations?

This thread has been viewed 7 times

  • 1.  How do I see NAT translations?

    Posted Jul 16, 2014 10:49 AM

    Recently implmeneted ClearPass for our guest network authentication and had a consultant help us configure it. We had to make some infrastructure changes that I am not clear on. Everything is working I am just not sure how.

     

    We have a guest network 192.168.1.0/24 VLAN 998 going to a Palo Alto PA-500 out to a Comcast (boo) internet circuit. This network is not only used by Aruba for wireless guest. We also use this VLAN for guest access on the LAN as well. The PA does DHCP for VLAN 998. We have 2 650 controllers (on spearate floors) that use this network. Controller 1 an IP of 192.168.1.10 in VLAN 998 and controller 2 has an IP of 192.168.1.9 in VLAN 998. 

     

    I am admittedly not 100% clear on why, but our consultant said we had to create a non-routed VLAN on each controller with a different address space and do DHCP for those networks on the Aruba controllers. We also added static routes to our private internal addresses and a default route to 192.168.1.1. 

     

    Controller 1 now has 192.168.10.0/24 VLAN 4094 and controller 2 has 192.168.11.0/24 VLAN 4094 (since they aren't routed we used the same VLAN). I see the ip NAT inside on each VLAN so are NATing. I can confirm this on the PA because I don't see traffic for 192.168.10.0/24 or 192.168.11.0/24, I only see traffic for 192.168.1.9 and 192.168.1.10 (amongst other LAN traffic). 

     

    I do not see how this is working though. I dont see a statement that translates from VLAN 4094 to the respective IP on VLAN 998. I also cannot see an actual translation table. I have posted some config below. 

     

    Thanks in advance. 

     

    Controller 1:

     

    interface vlan 4094
    ip address 192.168.10.1 255.255.255.0
    ip nat inside

    interface vlan 998
    ip address 192.168.1.10 255.255.255.0

    Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
    S* 0.0.0.0/0 [1/0] via 192.168.1.1*
    S 10.0.0.0/8 [1/0] via 172.22.1.1*
    S 172.16.0.0/12 [1/0] via 172.22.1.1*
    C 172.22.1.0/24 is directly connected, VLAN150
    C 192.168.1.0/24 is directly connected, VLAN998
    C 192.168.10.0/24 is directly connected, VLAN4094
    C 172.21.1.31/32 is an ipsec map default-local-master-ipsecmap

    NAT Pools
    ---------
    Name Start IP End IP DNAT IP Flags
    ---- -------- ------ ------- -----
    dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0

     

     

    Controller 2:

    interface vlan 4094
    ip address 192.168.11.1 255.255.255.0
    ip nat inside

    interface vlan 998
    ip address 192.168.1.10 255.255.255.0

    Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
    S* 0.0.0.0/0 [1/0] via 192.168.1.1*
    S 10.0.0.0/8 [1/0] via 172.22.1.1*
    S 172.16.0.0/12 [1/0] via 172.22.1.1*
    C 172.22.1.0/24 is directly connected, VLAN150
    C 192.168.1.0/24 is directly connected, VLAN998
    C 192.168.11.0/24 is directly connected, VLAN4094
    C 172.21.1.31/32 is an ipsec map default-local-master-ipsecma


    NAT Pools
    ---------
    Name Start IP End IP DNAT IP Flags
    ---- -------- ------ ------- -----
    dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0

     



  • 2.  RE: How do I see NAT translations?
    Best Answer

    Posted Jul 16, 2014 11:04 AM

    When you enable source nat on a VLAN (ip nat inside), it NAT's to the IP of the controller.  If you want to specify a specific IP or pool of IPs to NAT to, you can create a pool (ip nat command) and then you need to configure the firewall policies for src-nat (and choose pool) rather than have an action of permit.

     

    You can configure the guest network either way; routed or not.  The consultant was not wrong in recommending that setup, however it is possible to put them on a single or multiple routed VLANs.

     

    If you run show datapath session table; look for the S flag (src-nat) to see traffic being NAT'd.   There is not a NAT table per se.



  • 3.  RE: How do I see NAT translations?

    Posted Jul 16, 2014 01:30 PM

    Does everything get NAT'd to the controller IP in order to apply policies/firewall rules etc?

     

    If I understand correctly, the new guest network gets NATd to the controller IP which then routes to the default gateway using 192.168.1.9 (the interface it has on VLAN 998)?

     

    Also, I did look at the session table, I was hoping to see something similiar to the show xlate table in Cisco.

     

    Thanks, I think the light bulb finally went on!

     



  • 4.  RE: How do I see NAT translations?

    Posted Jul 16, 2014 01:43 PM
    @johnnykilo wrote:

    Does everything get NAT'd to the controller IP in order to apply policies/firewall rules etc?

     

    >>It is not really a requirement to be NAT'd to the controller IP.   All traffic has policy applied to it based on the role of the user, regardless of whehter you are NAT'ing.  You can setup NAT Pools for use if you'd prefer not to use the controller's IP.  However, if you simpley enable NAT on any VLAN, it will NAT to the Controller's IP (show controller-ip).

     

    If I understand correctly, the new guest network gets NATd to the controller IP which then routes to the default gateway using 192.168.1.9 (the interface it has on VLAN 998)?

     

    >>Regardless of how it is NAT'd (Controller IP or NAT Pool) it will pass on through the next hop of the controller

     

    Also, I did look at the session table, I was hoping to see something similiar to the show xlate table in Cisco.

     

    >>I knew what you were going for, but the option is not there; sorry.

     

    Thanks, I think the light bulb finally went on!

     

     



  • 5.  RE: How do I see NAT translations?

    Posted Jul 16, 2014 03:53 PM

    Thanks again.