Hi there,
I have a similar case. IP routing is enabled.
I am trying to use NAT in order to give Internet access (directly from the vlan controller) to the users of two different SSIDs but is not working.
The configuration is as follows:
!
!
ip access-list eth validuserethacl
permit any
!
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
network 127.0.0.0 255.0.0.0 any any deny
network 224.0.0.0 240.0.0.0 any any deny
host 255.255.255.255 any any deny
network 240.0.0.0 240.0.0.0 any any deny
any any any permit
ipv6 host fe80:: any any deny
ipv6 network fc00::/7 any any permit
ipv6 network fe80::/64 any any permit
ipv6 alias ipv6-reserved-range any any deny
ipv6 any any any permit
!
!
!
vlan 1
vlan 4
vlan 5
vlan 999
!
!
interface gigabitethernet 1/0
description "G1/0 - NAT INSIDE - LAG 1"
no trusted vlan 999
!
interface gigabitethernet 1/1
description "GE1/1 - NAT INSIDE - LAG 1"
no trusted vlan 999
!
interface gigabitethernet 1/2
description "GE1/2 - NAT INSIDE - LAG 1"
lacp group 1 mode active
no trusted vlan 999
!
interface gigabitethernet 1/3
description "GE1/3 - NAT OUTSIDE"
no trusted vlan 1-4094
no trusted
switchport mode access
switchport access vlan 999
ip access-group validuserethacl in
ip access-group validuserethacl out
ip access-group validuser session
!
!
controller-ip vlan 1
!
!
interface vlan 1
ip address 10.10.40.1 255.255.255.0
!
!
interface vlan 4
ip address 10.10.70.1 255.255.255.0
ip nat inside
ip helper-address 172.21.10.173
!
!
interface vlan 5
ip address 10.10.50.1 255.255.255.0
ip nat inside
ip helper-address 172.21.10.173
!
!
interface vlan 999
ip address w.x.y.z 255.255.255.0
ip nat outside
!
!
!
!
ip default-gateway w.x.y.a
!
!
ip route 172.21.28.0 255.255.255.0 172.21.19.1
ip route 172.21.10.0 255.255.255.0 172.21.19.1
ip route 172.21.16.0 255.255.255.0 172.21.19.1
ip route 172.21.25.0 255.255.255.0 172.21.19.1
ip route 10.120.1.0 255.255.255.0 172.21.19.1
!
!
The role used ti test thos by the WLAN users (using vlans 4 and 5) is the standard "authenticated" role with the allowall access list.
I am thinking that NAT is not working since some internal networks (the ones with suobnet 172.21.x.0/24) use public address space instead of the 172.16.x.o/24 private address space and interact with the WLAN networks that use 10.10.n.0/24 networks.
When I am saying the nat is not working I mean that a user connected to the SSIDs related to vlan 4 or vlan 5 cannot reach the internet (we are testing with WIndows 10).
Also I can ping the ip address w.x.y.z/24 assigned to the interface vlan 999 but I cannot ping the default gateway declared on the controller to get acces to the internet(the w.x.y.a/24 IP address).
Any guidance about this is more than welcome.
Thanks in advance.
Jose