Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IP Nat

This thread has been viewed 1 times

  • 1.  IP Nat

    Posted Jul 07, 2014 11:17 AM
      |   view attached

    Hello,

     

    I would like to configure IP Nat for our Public Wifi. I looked at the User Guide, and other topics here but I would like to confirm my findings ith you if possible.

     

    I have attached a simple diagram of the setup I have in mind.

    At the moment our Public Wifi connects to our ISP router via an ASA firewall. This is a legacy setup that was put in place back in the day when the Aruba FW was not EAL4 compliant.

    The ASA is doing the NAT rather than the controller. What I would like to achieve is to be able to take the ASA out of the equation and have the contrller connect directly into the ISP using the Nat feature.

     

    I'm thinking to do the following:

    1- Create vlan 10 ----- IP 192.168.23.x 255.255.255.0 (Outside Address)

    2- Vlan 3 ------ 192.168.x.x 255.255.240.0 (cleints' wifi IP address NOT conflicting with the Outside address)

    3- DHCP Pool for Vlan 3
    3- In the IP interface configuration for Vlan 3 I tick the Enable source NAT for this VLAN

     

    Is there anything else that I need to do please?

     

    P.S.

    How would the controller know to NAT to the Public Wifi IP address of 192.168.x.x and not the Services Outside IP address of 10.47?

    Many thanks in advance!

     

     



  • 2.  RE: IP Nat

    Posted Jul 07, 2014 12:10 PM

    That should work.  Keep in mind, that in order for this setup to work, the controller's default gateway (ip default-gateway) needs to be on VLAN 10.  Any internal networks will need to have static routes setup.

     

    You can also setup a firewall policy to put on the external interface if you want to secure it from incoming connection (if the ASA is going away).   http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Network-gt-Ports-Firewall-Policy-Help/m-p/6743/highlight/true#M2495  or http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Using-Aruba-as-edge-firewall/m-p/68292/highlight/true#M13121

     

     

     

     

     

     

     

     

     



  • 3.  RE: IP Nat

    Posted Jul 08, 2014 10:00 AM

    Hello Clembo and many thanks for your reply.

    My concern with this setup is the default gateway.

     

    Our corporate Vlans also access 0.0.0.0 however they do so via our corporate link and not via our Public Internet link.

     

    Not sure I can have a default Gateway going to 0.0.0.0 for Public and a static route going to 0.0.0.0 for all the corporate Vlans via a different next hope?

     

    Many thanks,

     

    H



  • 4.  RE: IP Nat

    Posted Jul 08, 2014 10:48 AM

    If clients use your core network for their default gateway (recommended) then no change is necessary for them to function.  If you set the default gateway of the controller to the external connection, you'll need to add static routes for any internal networks that the controller needs to access (think AirWave, RADIUS, etc.).    This will also affect the networks that you administer the controller from, they too will need static routes.