Wireless Access

Hello, I have been given a block of public IP's from my ISP that I need to have on the controller so that I can do 1-1NAT and/or port forwarding with to internal devices.  The controller only allows you to assign one of those IP's on a VLAN and apply that VLAN to a physical port on the controller.  I get the following error when I try to give another of those IPs to a different VLAN

interface vlan 4 ip address X.X.X.X 255.255.255.0:IP Address conflicts with another Interface

Obviously the IPs are all on the same subnet as they were provided by my ISP.  How can I utilize these IP's if I can't assign them to other ports?  Can you somehow command line assign additional IPs to one interface?

Any help appreciated.

 

Thanks,

You can create a pool of source-nat addresses using the command:

 

ip nat pool <name> 1.1.1.1 1.1.1.1

ip nat pool <name2> 1.1.1.2 1.1.1.2

etc...

 

Then, use an ACL on the user role to source-nat outbound (and return) traffic:

 

ip access-list session <name>

host 10.1.1.1 any any src-nat <pool name>

host 10.1.1.2 any any src-nat <pool name 2>

etc...

 

If you need inbound access to those addresses, setup an ACL and apply it to the inbould interface and make sure the user VLANs are set for "ip nat inside":

 

ip access-list session <inbound name>

host 1.1.1.1 any svc-http dst-nat ip 10.1.1.1

host 1.1.1.2 any svc-dns dst-nat ip 10.1.1.2

etc..

 

int gig 1/0

ip access-group <inbound name> session

 

int VLAN 1

ip nat inside

 

 

 

That should do what you want.  The IPs in the NAT pool don't have to be assigned to an interface direclty.

Thanks for the quick response olino and you’ll see from my posts I don’t have much experience with Aruba.  I had to wait until after hours to try to apply the changes as the controller is live and I didn’t want to take down the uplink somehow, but I never got your suggestions to work.  Let me explain my network architecture a bit more and then what I tried.

 

     Subnet provided by ISP for use:  10.0.0.1/28
     Controller IP: 10.0.0.2
     Controller Default Gateway: 10.0.0.1
     VLAN 1:   IP 10.0.0.2/24    on gig 1/0
     VLAN 2:   IP 172.16.1.1/24  on gig 1/1  ip NAT inside

 

Prior to attempting your recommendations, there were absolutely no NAT-Pools in my config other than this one:  

 

     ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0

 

I’m not sure what in the config was already making src nat work to cause VLAN2 to be natted behind VLAN1.  I don’t have any user roles or wired AAA profiles applied to either VLAN1 or VLAN2, rather on gig1/0 I have an access-list allowing inbound natt, https, ssh, icmp, and port 4343 to the controller IP.    On gig1/1 (VLAN2) I have no access-list nor is the VLAN assigned to any user role and none of the IPs on that VLAN show under the user list.

 

So my first question is what is making this work NAT-wise in the first place?  I get that the controller’s default gateway lives on the same subnet as the ip on VLAN1 so is that doing it by default? I do have one entry in the Uplink Management Table that shows VLAN1 as a wired uplink but the manager is disabled so I don’t think that is it. 

 

And now I want to use my additional provided external ip addresses 10.0.0.3 and 10.0.0.4 on the controller to NAT to different devices on VLAN2.  I created the NAT Pools leaving the “Destination NAT IP” blank although I’m curious what putting something in that destination nat ip address does?

 

     ip nat pool <name1> 10.0.0.3 10.0.0.4

 

Then I created VLAN 3 and applied it to gig 1/2 without assigning an IP to it and I connected it to the same switch that my uplink VLAN1 (10.0.0.2) is configured to.   Then I created a session access list to dst-nat the ports that I need:

 

     ip-access list session <inbound-name>
     host 10.0.0.3 any svc-http dst-nat ip 172.16.1.10
     host 10.0.0.3 any svc-https dst-nat ip 172.16.1.10

 

Then I applied that as the session firewall policy on port gig 1/2.  I presumed that since the devices behind VLAN2 were already src-natting through VLAN1 I couldn’t add another src-nat rule for devices behind VLAN2.

 

I’m sure I’m way off the mark here as I didn’t have any luck.  Do I need to apply aaa profiles to the wired ports on the controller?

 

Thanks again, I really appreciate the advice.

 

 

 

 

Instead of creating VLAN 3 and applying the ACL there, apply those same ACL entries to the ACL you have already applied to gig1/0.

 

The second one probably wont work, since you already have an entry that allows https to your controller.  You should remove the existing https line and replace it with the new one.  You dont have to have https to your controller, only tcp/4343.  You will have to remember to add ":4343" to the end of your URL once you remove https to the controller.

 

Everything else should be correct. 

Hmm.. but that's what I'm needing to accomplish.  I have multiple public IPs so that I can use say port 80 or port 443 on several of them and dst-nat them to devices on the inside. 

 

That's why I initially tried to have those public IPs assigned to additional physical ports or at least add those IPs as additional IPs off the same interface.  Neither of which seems to be an option with Aruba.

 

There has to be a way to do 1-1NAT...

 

10.0.0.3             10.0.0.4            10.0.0.5             PUBLIC IPs

      ||                          ||                        ||                                   

      V                          V                       V

172.16.1.10     172.16.1.11    172.16.1.12        INTERNAL IPs

The controller will NAT to/from 10.0.0.3, 10.0.04 and 10.0.0.5 without having them assigned to an interface.  Since you already have 10.0.0.2 assigned, the routing will work right.  .3, .4 and .5 can be used in the NAT pool and will be sent to and received from gig 1/0.

Thanks Olino it's working perfectly. Sorry I haven't given feedback sooner. After simply creating a NAT pool with the public IPs I wanted and applying the DST-NAT ACL on the physical uplink-port I now have individual tcp ports correctly natting to different local IPs. Thanks again!

please, this is very urgent, i have an aruba 650 controller which i configured with this ip addre 10.156.2.9,
but the next day i wanted to login into the interface the ip addre i configured is not accepted.
so i went to a command prompt to type ipconfig and to my surprise am seeing this ip address 169.254.193.8. i tried typing this ip in explorer but cant log into my aruba 650.
pls what can i do

please, this is very urgent, i have an aruba 650 controller which i configured with this ip addre 10.156.2.9,
but the next day i wanted to login into the interface the ip addre i configured is not accepted.
so i went to a command prompt to type ipconfig and to my surprise am seeing this ip address 169.254.193.8. i tried typing this ip in explorer but cant log into my aruba 650.
pls what can i do