Wireless Access

Reply
Contributor I
Posts: 43
Registered: ‎06-19-2014

How do I see NAT translations?

Recently implmeneted ClearPass for our guest network authentication and had a consultant help us configure it. We had to make some infrastructure changes that I am not clear on. Everything is working I am just not sure how.

 

We have a guest network 192.168.1.0/24 VLAN 998 going to a Palo Alto PA-500 out to a Comcast (boo) internet circuit. This network is not only used by Aruba for wireless guest. We also use this VLAN for guest access on the LAN as well. The PA does DHCP for VLAN 998. We have 2 650 controllers (on spearate floors) that use this network. Controller 1 an IP of 192.168.1.10 in VLAN 998 and controller 2 has an IP of 192.168.1.9 in VLAN 998. 

 

I am admittedly not 100% clear on why, but our consultant said we had to create a non-routed VLAN on each controller with a different address space and do DHCP for those networks on the Aruba controllers. We also added static routes to our private internal addresses and a default route to 192.168.1.1. 

 

Controller 1 now has 192.168.10.0/24 VLAN 4094 and controller 2 has 192.168.11.0/24 VLAN 4094 (since they aren't routed we used the same VLAN). I see the ip NAT inside on each VLAN so are NATing. I can confirm this on the PA because I don't see traffic for 192.168.10.0/24 or 192.168.11.0/24, I only see traffic for 192.168.1.9 and 192.168.1.10 (amongst other LAN traffic). 

 

I do not see how this is working though. I dont see a statement that translates from VLAN 4094 to the respective IP on VLAN 998. I also cannot see an actual translation table. I have posted some config below. 

 

Thanks in advance. 

 

Controller 1:

 

interface vlan 4094
ip address 192.168.10.1 255.255.255.0
ip nat inside

interface vlan 998
ip address 192.168.1.10 255.255.255.0

Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [1/0] via 192.168.1.1*
S 10.0.0.0/8 [1/0] via 172.22.1.1*
S 172.16.0.0/12 [1/0] via 172.22.1.1*
C 172.22.1.0/24 is directly connected, VLAN150
C 192.168.1.0/24 is directly connected, VLAN998
C 192.168.10.0/24 is directly connected, VLAN4094
C 172.21.1.31/32 is an ipsec map default-local-master-ipsecmap

NAT Pools
---------
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----
dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0

 

 

Controller 2:

interface vlan 4094
ip address 192.168.11.1 255.255.255.0
ip nat inside

interface vlan 998
ip address 192.168.1.10 255.255.255.0

Gateway of last resort is 192.168.1.1 to network 0.0.0.0 at cost 1
S* 0.0.0.0/0 [1/0] via 192.168.1.1*
S 10.0.0.0/8 [1/0] via 172.22.1.1*
S 172.16.0.0/12 [1/0] via 172.22.1.1*
C 172.22.1.0/24 is directly connected, VLAN150
C 192.168.1.0/24 is directly connected, VLAN998
C 192.168.11.0/24 is directly connected, VLAN4094
C 172.21.1.31/32 is an ipsec map default-local-master-ipsecma


NAT Pools
---------
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----
dynamic-srcnat 0.0.0.0 0.0.0.0 0.0.0.0

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: How do I see NAT translations?

[ Edited ]

When you enable source nat on a VLAN (ip nat inside), it NAT's to the IP of the controller.  If you want to specify a specific IP or pool of IPs to NAT to, you can create a pool (ip nat command) and then you need to configure the firewall policies for src-nat (and choose pool) rather than have an action of permit.

 

You can configure the guest network either way; routed or not.  The consultant was not wrong in recommending that setup, however it is possible to put them on a single or multiple routed VLANs.

 

If you run show datapath session table; look for the S flag (src-nat) to see traffic being NAT'd.   There is not a NAT table per se.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 43
Registered: ‎06-19-2014

Re: How do I see NAT translations?

Does everything get NAT'd to the controller IP in order to apply policies/firewall rules etc?

 

If I understand correctly, the new guest network gets NATd to the controller IP which then routes to the default gateway using 192.168.1.9 (the interface it has on VLAN 998)?

 

Also, I did look at the session table, I was hoping to see something similiar to the show xlate table in Cisco.

 

Thanks, I think the light bulb finally went on!

 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: How do I see NAT translations?

[ Edited ]

johnnykilo wrote:

Does everything get NAT'd to the controller IP in order to apply policies/firewall rules etc?

 

>>It is not really a requirement to be NAT'd to the controller IP.   All traffic has policy applied to it based on the role of the user, regardless of whehter you are NAT'ing.  You can setup NAT Pools for use if you'd prefer not to use the controller's IP.  However, if you simpley enable NAT on any VLAN, it will NAT to the Controller's IP (show controller-ip).

 

If I understand correctly, the new guest network gets NATd to the controller IP which then routes to the default gateway using 192.168.1.9 (the interface it has on VLAN 998)?

 

>>Regardless of how it is NAT'd (Controller IP or NAT Pool) it will pass on through the next hop of the controller

 

Also, I did look at the session table, I was hoping to see something similiar to the show xlate table in Cisco.

 

>>I knew what you were going for, but the option is not there; sorry.

 

Thanks, I think the light bulb finally went on!

 


 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 43
Registered: ‎06-19-2014

Re: How do I see NAT translations?

Thanks again.

Search Airheads
Showing results for 
Search instead for 
Did you mean: