Wireless Access

Reply
Occasional Contributor II

NAT and VLAN question

VLAN 100 - 10.100.0.0 255.255.0.0

VLAN 200 - 72.13.164.1 255.255.255.224

IP  NAT pool mynatpool 72.13.164.1 72.13.164.1 0.0.0.0

 

!

IP access-list session Nat-to-my-Nat-pool

user any any src-Nat pool mynatpool

!

user-role TEST

session-acl Nat-to-my-Nat-pool

 

 

 

I have users pulling a private address and then I have a session rule so that they NAT to 72.13.164.1. The NAT is working, but when doing DNS search, the traffic is tagged with vlan id 100. I don't understand why traffic that is NATd wouldn't be tagged to the interface/IP Address it is being NAT'd too. 

Re: NAT and VLAN question

Well...isn't the client part of VLAN 100?  Is this causing an issue?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II

Re: NAT and VLAN question

The client is part of VLAN 100, so yes this is why it is tagged with vlan id 100. If I were to do source nat, wouldn't the vlan id be switched from vlan 100 to whatever vlan the ip address of the controller is? Say if I had vlan 1 designated with the controller IP, then if I were to capture DNS traffic, then the traffic should be tagged with vlan id 1. 

Re: NAT and VLAN question

It all depends on where you capture.  You are source NAT'ing the traffic so if you capture upstream of the controller, you will see a source IP of your NAT pool.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II

Re: NAT and VLAN question

Correct, say if I collect traffic on a monitor port of an upstream switch. The ip is sourced of the NAT pool. The issue that I am seeing is that the vlan id however is still the original vlan id of 200 instead of the vlan id of the nat pool. 

Re: NAT and VLAN question

anyway you can post the packet trace excerpt? I am not getting it. If the VLAN tag was 100 in your case, things would have been broken upstream I would think
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II

Re: NAT and VLAN question

That is the problem, the link is broken. The traffic is being NATd to the correct ip address of 72.15.164.1, but if you look closely, you can see that the vlan id is 95. In this instance, I left the role assigned vlan id to unassigned under access control, so it is using the vlan id of the controller ip address. However, 72.15.164.1 is actually assigned to vlan 100. If I change the role vlan id assignment under access control to 200, then the packet capture would show the correct natd address, but the vlan id will change to 200. This is causing issues with me trying to nat private ip addresses. 

 

Screen Shot 2013-09-12 at 3.22.44 PM.png

Re: NAT and VLAN question

Can you post your config?
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II

Re: NAT and VLAN question

I have emailed it to you. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: