01-22-2014 06:59 AM
I'm having difficulties with IP NAT pool.
A customer has large portions of public IP's and they don't use forewalls, it's all done via access-lists.
Hence, when the controllers are setup with IP's, they get a public IP.
At the same time as you don't have a firewall, you will have to perform NAT on the Aruba.
As the controller has a public IP and a gw in the same subnet, we do not wan't to pass guest traffic out therem, as they will show the controllers management address in the Internet.
So we added a new vlan, lets say 222, this is directly connected to a router via the trunk the controllers has to the customers switches.
This vlan has IP x.x.134.12 / 255.255.255.248, and the router on the same L2 has .9.
We then add a new vlan, 410, with 10.0.4.0/23.
We would like to NAT all the 10.0.4.0 IP out thru the x.x.134.9 gateway, not using the defauklt gateway (x.x.28.1).
I have defined a NAT pool, this pool contains all the adresses in the scope 10.0.4.1 - 10.0.5.254 with the 134.9 as Destination NAT IP address.
I then add a policy point to this NAT pool, and adds the policy to a user rule.
Whatever i do, i can't get the traffic out on the 134.9 router.
What i'm i doing wrong or are there any limitations i'm not aware of?
01-22-2014 07:21 AM - edited 01-22-2014 07:26 AM
First up, whoops I clicked the me too button by accident!!! Sorry!
I'm not sure this sounds very secure, but I'll just focus on answering your question.
Your NAT pool needs to be the PUBLIC IPs you're translating too. So, setup a pool with the public address that will appear as the source of the traffic when it's heading to the world.
ip NAT pool my-public-pool x.x.x.x <<TO>> x.x.x.x
Then, in your user role, define a rule that NATs to that pool. For example...
ip access-list session src-nat-to-pool
user any any src-nat pool my-public-pool-name-here
The controller default gateway should and will not ever appear as the the IP source at the other end (unless it too is NAT'ing). I.e. you cannot NAT to the router/gateway IP as a source. If you want to that, the gateway router must do it.
01-22-2014 10:53 AM
Thanks for the reply, still trying to wrap my head around this one, but i'm just looking at it the wrong way probably.
Let me just give you the IP's etc, and especially the NAT pool.
Here is a basic of the IP setup on the controller
interface vlan 100
ip address x.x.28.98 255.255.255.0
interface vlan 200
ip address 10.0.4.1 255.255.254.0
interface vlan 300
ip address x.x.134.12 255.255.255.248
ip default-gateway x.x.28.1
In this scenario i would like to send the guest out on the 300 vlan. The controller has x.x.134.12 and the router/gateway towards Internet has x.x.134.9. Vlan 300 is directly connected.
As you said, my pool needs to be the public IP that i'm translating too, but is this the public IP on the controller (x.x.134.12) or the one on the router/gateway? It's a bit confusing as these devices has public IP's all over.
When i shall add the NAT pool, it asks for starting and ending IP, is the start and the end the addresses i'm translating to? Not the actual pool of IP's that i given the clients?
Will the NAT pool config be something like this:
ip NAT pool PublicPool x.x.134.12 x.x.134.9
Start being the controllers IP in the vlan 300 (x.x.134.12) and x.x.134.9 being the router, which is reachable going thru x.x.134.12.
What IP should i use as start and end, and what as the destination NAT IP address
This is the part where i'm a bit lost.
Hope you could clarify this bit for me
01-26-2014 07:34 AM - edited 01-26-2014 07:35 AM
Sorry for the delay, was tied up.
"As you said, my pool needs to be the public IP that i'm translating too, but is this the public IP on the controller (x.x.134.12) or the one on the router/gateway? It's a bit confusing as these devices has public IP's all over." - In regard to this point, when you specify the pool, the controller uses these addresses IN ADDITION to it's real address. In your example, 134.12 is the real (used by the controller for default IP communication when you don't specify anything further), 134.9 is the next hop router.
"When i shall add the NAT pool, it asks for starting and ending IP, is the start and the end the addresses i'm translating to? Not the actual pool of IP's that i given the clients?" - The address isn't "given" to the client. But the outside world will believe it to be the clients address. The client's understanding of it's address, will be whatever you gave it elsewhere on the inside of the network. This is NAT fundamental.
"Will the NAT pool config be something like this: ip NAT pool PublicPool x.x.134.12 x.x.134.9" - So your pool could be any other IPs in that subnet not in use on another device (inclusive of the next hop router and controller). For instance, 134.13-20, or 134.1-8. The pool must be contiguous. It could include the controller if you like, so 134.10-20 for example is valid.
Additional tip - Based on your config, the default gateway of the controller will also need to change. You have it as "ip default-gateway x.x.28.1". It will need to be "ip default-gateway x.x.134.12". This change might have consequnces on your entire internal/external routing so take that into account, and consider a series of static routes, or OSPF if possible. NOTE why this is relevant: Simply by configuring the NAT pool, you're only altering the source IP from which the traffic appears to originate. You're not changing the way the controller routes the traffic out into the network.
07-21-2014 12:09 PM
Sounds like you've done this in the field, so I'll shamelessly bump an old thread here.
I have a 7240 controller with approximately 4000 end user devices behind it. I've split them into 4 VLANs (student residence buildings) and I need to NAT them. I could break this into 4 NAT pools, but then I'd need to derive roles based on both location and ID. For ease of management then, I'd be sharing one NAT pool across multiple VLANs/subnets.
Is there any reason this shouldn't work? I can always NAT on the firewall if the controller isn't the right place for it.