Wireless Access

Dear Friends.

 

I need to configure IP Nat. Is there any document available that can help me to configure natting.. i  tried to find it in OS guide but unfortunately i was not able to understand that... Thanks in advance

There's lots of ways. NAT pools, rules in firewall policies, interface settings etc. Depends on what you need from NAT.

 

The simplest way by far...

 

Have the controller as the router for a VLAN, and put IP NAT INSIDE on the IP interface.

 

Does that do what you need?

interface vlan 10
ip address x.x.x.x 255.255.224.0 (Public IP)

interface vlan 1
ip address 192.168.2.1 255.255.255.0 (management VLAN)


interface vlan 3
ip address 10.10.0.1 255.255.255.0 (User VLAN)
ip nat inside


ip default-gateway x.x.x.x (Public IP of VLAN 10 Pool)

 I want to nat all the traffic from VLAN 3 to the IP Address of VLAN 10.
how can i congigure that.

You already did! You should be done.

 

You achieved it by using the "ip nat inside" command on VLAN 3.

 

Is it doing what you want? Did you test it?

 

Yes... it is working fine :-)

It translating all of my guest users to single IP. how can i translate to multiple Ip's. i mean how can i configure destination nat pool instead of single vlan 10 ip ??

You can translate to multiple IPs by using a NAT pool.

 

For a simple way of doing that, it's a 2 step process.

 

1. Configure a NAT pool.

2. Configure the rules in your user role ACLs to NAT to that pool.

 

For example....

 

ip NAT pool my-nat-pool 1.1.1.1 1.1.1.10

!

ip access-list session nat-to-my-nat-pool

user any any src-nat pool my-nat-pool

!

user-role natted-user

session-acl nat-to-my-nat-pool

!

 

Of course, if your user role has more rules, it might be more complex!

Thank you so much dear

This is exactly what i was looking for...

I have a similar "issue". How does the ip nat inside command know to translate from IPs on VLAN 3 to the 1 IP on VLAN 10?

 

Also how could I see a translation table? I assume the mechanism must be PAT if you are going from many IPs to 1 IP but I am not sure how to see that in the config.

 

Thanks.

with nat inside it will NAT the traffic to the outgoing interface IP, so if your traffic goes outside via VLAN 10 it will take that IP.

 

as for the table, i believe: show datapath session table should help

Hi,

Can this be achieved on Dell Poweconnect W-650. looks like the cammand for IP NAT for creation of pool is not supported.

 

Do i need any specific licence for this feature?

how can i do the suggested config through GUI?

 

immediate response is much appreciated.

Contact me via skype/e-mail and i will assist you remotely to config and deploy the right NAT configuration.

I have a similar issue and question.  My master controller has two interfaces: one internal for management / GRE tunnels to local controllers and one external for access to the internet.  Guest wireless clients will get a Net10 address out of a separate VLAN.  How can I ensure that guest traffic is NATed to the OUTSIDE interace only and not to the inside?

 

My issue is that guest traffic can access internal resources and I think it's because it's being NATed to the internal interface IP and routing out the inside interface.  If I could ensure that the NAT would only go out the OUTSIDE interface, then this would resolve the internal network access issue.

 

Thank you!

In AOS 6.4.4 you can define the nat outside interface.

Thanks Tim.  I am running 6.4.4.2.  Can you direct me to some documentation on how to do this or provide some more information?  That sounds like just what I'm looking for.

 

Thanks again.

On the VLAN interface, issue the command ip nat outside.

Sent from Nine

I assume you mean specify "ip nat outside" on the OUTSIDE vlan interface, correct?  I have "ip nat inside" set on the VLANs hosting the private space but haven't specified "outside" anywhere.

 

Thank you.

Yes exactly.

So I configured "ip nat outside" on the outside VLAN interface and guest traffic going out to the Internet is indeed being NATed to the outside IP as expected.  Excellent.

 

However, when I try to access an internal IP, which should be blocked because the outside subnet doesn't have a route to the inside network, the source IP is actually the INSIDE vlan IP address and the traffic can successfully get to the internal destination.

 

The controller does indeed have a static route to those internal destinations...this is needed so the controller can communicate with local controllers on the internal network.  However, we can't allow guest wireless users access to the internal network, for obvious reasons.  I thought that if traffic was "forced" to NAT out the outside interface, it would follow default (which I want) rather than the static route pointing back to the inside.

 

Is my issue routing related or did I misconfigure the NATing?  Is there a way to prohibit the guest traffic from NATing out the INSIDE?

 

Thanks.

Did you find a solution to your issue Jeff?  I'm having a similar issue where the NAT follows the controllers routing table, instead of being forced out the OUTSIDE vlan.  To make it work from the view of the NAT client, I have to break the internal routing of the controller which doesn't make sense.  Any internal traffic from the NAT client get's NAT'd to my mgmt interface and appears to come from my controllers mgmt IP instead of forcing all NAT traffic out the OUTSIDE vlan.

I did not find a clean solution to this problem.  In other words, I didn't find a solution that prohibited traffic from NATing out the inside interface.  What I did was create a netdestination list of all my internal address space and prohibit that by ACL.  Then, I let traffic flow the way it wants, but the prohibited destinations are still prohibited.  Not as clean as I would like, but it works.

 

If you find another way to do this, let me know.

 

-Jeff