Wireless Access

Reply
Aruba
Posts: 1,296
Registered: ‎08-29-2007

NAT'd vlan but want different NAT ip for split-tunnel ssid

I have a scenario where there are two vlans, for corp and guest, with both 'ip nat inside'.

 

The internet route is via a firewall and currently the corp traffic is NAT'd behind a different ip address, due to the traffic being sent to an internet proxy.  I was able to achieve this with a rule of 'any any any src-nat pool corp-inet'.

 

For a new site, the customer wanted to setup a split-tunnel ssid to drop out local subnets from the APs and tunnel everything else.  Unfortunately, the src-nat rule does not work for split-tunnel mode, and the corp traffic is now NAT'd behind the guest NAT address.

 

I am thinking the only thing to try now is to apply a session-acl to the interface as the traffic egresses from the port?  Something like this....

 

ip access-list session DMZ-Internet-port
  network 10.0.0.0 255.0.0.0 any any src-nat pool corp-inet-DMZ
  any any any permit

 

I hope I've made that clear, but would the above work with a split-tunnel traffic to be NAT'd behind a different address?  I guest I am wondering what the internal order of processing is on the controller.  Is the ip-nat-inside rule applied before it hits the interface.

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid

How many access points are at that site?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid

8 or 9.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid

Could you use "Bridge" instead of split-tunnel for corporate traffic?  Split-Tunnel is normally only good for smaller sites with a few access points...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid

That's an option, but I'd prefer not to cause we loose the lync optimisations and benefits.

 

Then again, could just "route src-nat" the internet traffic out the ap and let it flow out like wired traffic to the internet, which I assume would have the correct NAT address.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid

So taking a step back:

 

- you have 9 access points at that site

- They are all configured as remots APs

- You have a controller at the headend

- What is transmitting the WAN traffic back to the controller?  Is there a site to site VPN or only an internet connection? 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid


cjoseph wrote:

So taking a step back:

 

- you have 9 access points at that site.  Yes

- They are all configured as remots APs.  One at the moment for testing this.

- You have a controller at the headend.  Yes

- What is transmitting the WAN traffic back to the controller?  Is there a site to site VPN or only an internet connection? It is an MPLS network.


Unfortunately, the setup is complicated by the fact that they did not want to ask their provider to configure additional ports, vlans etc because it would cost them money.  Despite my warnings and reluctance, they insisted it all be nat'd.

 

So in the end I have a slightly complicated setup with different NAT addresses and esi-redirects.  That all works fine for tunnelled corp ssids.

 

They just want to know the possibility to break out those local site subnets from the AP, which is fine, but it now means their corp internet traffic is being NAT'd behind the wrong address at the controller.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: NAT'd vlan but want different NAT ip for split-tunnel ssid

I gave them the options to move forward and it has been decided that it is too difficult to reconfigure ports, switches and add a dhcp scope for the site.  So back to just tunnel mode ssid.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: