Wireless Access

Reply
Contributor II
Posts: 44
Registered: ‎04-06-2011

NAT setup to not use controller IP

Hello,

We have two VLANS trunked to our 6000 / M3 controllers ( Guest and ADMIN ).  The clients are not configured to use the controller as a gateway, they pass through.  The Guest VLAN has a Public IP assigned to the interface, and the Admin VLAN has a private IP address.  All Virtual APs are dropping broadcast and multicast.  The Controller IP is on the Private Admin network.

I would like to setup a new Guest Internet SSID using NAT which will allow Apple services such as Bonjour.  From what I understand when using NAT, the outside IP will be the controller IP.  In this case, I want to use the Public IP address of the Guest interface for the NAT outside IP.  How can I do this?



Thanks,
Bryan

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: NAT setup to not use controller IP

Bryanc,

 

Bonjour cannot cross a NAT boundary.  Please describe the application in this deployment.

 

To make a controller NAT out of the ip address that is not the controller address you can use the article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-NAT-and-redirect-of-specific-traffic-using-ACL-on-Aruba/ta-p/184528



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 44
Registered: ‎04-06-2011

Re: NAT setup to not use controller IP

Thanks for the information.  Clients on the new NAT-ed SSID/VLAN wiIl have private IPs and the controller will be their default gateway in this case.  So my main goal is to get the traffic NAT-ed out the Guest Internet interface instead of (by default) the internal controller IP interface.  I am not 100% sure the article addresses this?

 

I know about the Bonjour limitations, all usage will be containted on the new SSID/VLAN, so for this it won't be an issue.  That is one of the reasons for setting up this new SSID so we can have easy Bonjour usage in a certain area for limited users, without affecting the rest of our production WiFi.  The reason for the NAT is so a number of OSX servers can run with app download caching enabled.

 

 

Thanks,

Bryan

 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: NAT setup to not use controller IP

Bryanc,

 

If you want clients to nat out of the public ip address on the controller you can:

 

- Create a NAT pool that only has the controller's public ip address

- On the last line of the guest user's post authentication role, write a rule that has

any any any src-nat pool thatpoolname

That will nat all traffic out of the controller's pool ip address.  Please see details in the src-nat description of the command here:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/ip_access_list_session.htm

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: