Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

NAT troubleshooting (of VPNs)

This thread has been viewed 2 times

  • 1.  NAT troubleshooting (of VPNs)

    Posted Feb 04, 2014 08:23 AM

    Hi All,

     

    I'm in the process of troubleshooting a customer's challenge with certain VPN traffic (drops I'm told). I'm going to site tomorrow to see what the traffic looks like (I.e. NAT-T, but possibly something else).

     

    In the meantime, I'm looking at the controller remotely, wondering if it's something to do with NAT limits.

     

    The controller is NAT'ing users, to a single public IP at the moment. There's about 1500 users.

     

    Can anyone suggest a CLI command that accurately shows a summary of the current outbound NAT translations and/or sessions? In terms of maximum possible and current active? Rather than looking through the entire session table which is massive as you'd expect!

     



  • 2.  RE: NAT troubleshooting (of VPNs)

    Posted Feb 04, 2014 03:03 PM

     

    This isn't necessarily what you looking for but maybe it could help :

     

    (HOME-MASTER-CONTROLLER) #show datapath nat table

    Datapath NAT Table Entries
    --------------------------
    Pool SIP Start SIP End DIP
    ---- --------------- --------------- ---------------

     

     



  • 3.  RE: NAT troubleshooting (of VPNs)

    Posted Feb 04, 2014 04:37 PM

    Hi,

     

    Yeah, I found that one, but it seems to show configuration aspects rather than live NAT information?

     

    Thanks anyway.



  • 4.  RE: NAT troubleshooting (of VPNs)

    Posted Feb 05, 2014 05:23 AM

    Right,

     

    I have a suspicion that the VPN traffic type my customer has in question is PPTP. Haven't got to site yet due to transport disruption!

     

    My understanding is that throughout the AOS lifecycle, support for PPTP over NAT was been added and removed at various stages.

     

    The customer is currently on 6.2.1.2.

     

    So, I guess I have 3 questions.

     

    1. Is PPTP supported in this version? If not, does anybody have an authoritative view of what versions do support it?

    2. Does anybody know if you can do the equivalent of a static PAT (like you could on a Cisco ASA) within any NAT configuration context or role rule/policy? I.e. don't translate the source port? I've looked and can't see an obvious way?

    3. My understanding (which might be wrong), is that half the problem with PPTP, is that it doesn't like source ports being changed. Am I wrong? If this is the case, I can't see that it's worth me looking at implementing an external NAT pool, to increase translation potential over multiple source IPs?