Wireless Access

Reply
Contributor II

IP Nat

Hello,

 

I would like to configure IP Nat for our Public Wifi. I looked at the User Guide, and other topics here but I would like to confirm my findings ith you if possible.

 

I have attached a simple diagram of the setup I have in mind.

At the moment our Public Wifi connects to our ISP router via an ASA firewall. This is a legacy setup that was put in place back in the day when the Aruba FW was not EAL4 compliant.

The ASA is doing the NAT rather than the controller. What I would like to achieve is to be able to take the ASA out of the equation and have the contrller connect directly into the ISP using the Nat feature.

 

I'm thinking to do the following:

1- Create vlan 10 ----- IP 192.168.23.x 255.255.255.0 (Outside Address)

2- Vlan 3 ------ 192.168.x.x 255.255.240.0 (cleints' wifi IP address NOT conflicting with the Outside address)

3- DHCP Pool for Vlan 3
3- In the IP interface configuration for Vlan 3 I tick the Enable source NAT for this VLAN

 

Is there anything else that I need to do please?

 

P.S.

How would the controller know to NAT to the Public Wifi IP address of 192.168.x.x and not the Services Outside IP address of 10.47?

Many thanks in advance!

 

 

Aruba

Re: IP Nat

That should work.  Keep in mind, that in order for this setup to work, the controller's default gateway (ip default-gateway) needs to be on VLAN 10.  Any internal networks will need to have static routes setup.

 

You can also setup a firewall policy to put on the external interface if you want to secure it from incoming connection (if the ASA is going away).   http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Network-gt-Ports-Firewall-Policy-Help/m-p/6743/highlight/true#M2495  or http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Using-Aruba-as-edge-firewall/m-p/68292/highlight/true#M13121

 

 

 

 

 

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II

Re: IP Nat

Hello Clembo and many thanks for your reply.

My concern with this setup is the default gateway.

 

Our corporate Vlans also access 0.0.0.0 however they do so via our corporate link and not via our Public Internet link.

 

Not sure I can have a default Gateway going to 0.0.0.0 for Public and a static route going to 0.0.0.0 for all the corporate Vlans via a different next hope?

 

Many thanks,

 

H

Aruba

Re: IP Nat

If clients use your core network for their default gateway (recommended) then no change is necessary for them to function.  If you set the default gateway of the controller to the external connection, you'll need to add static routes for any internal networks that the controller needs to access (think AirWave, RADIUS, etc.).    This will also affect the networks that you administer the controller from, they too will need static routes.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: