Wireless Access

Reply
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

[ Edited ]

Hi,

I have a requirement to have the corp and guest traffic egress out different interfaces. I am using the esi-server feature, and followed the following post, https://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Need-help-routing-internet-traffic-from-our-guest-and-corporate/m-p/22348/highlight/true#M6505

 

Basically, the guest vlan is 'ip nat inside' and all traffic (apart from dhcp) is redirected into the tunnel.  The controller-ip is set to the controller DMZ ip, being 10.237.8.42.

What I was expecting is that the guest user traffic would egress out that interface and be NAT'd behind 10.237.8.42, being the controller-ip.

What I see with a capture on the controller, is that the guest traffic is egressing out that interface but is NAT'd behind the corp ip address, and hence being dropped on the firewall.

 

The rules are as follows,

 

guest-logon-control
-------------------
Priority  Source  Destination  Service   Action                                          TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
--------  ------  -----------  -------   ------                                          ---------  ---  -------  -----  ---  -----  ---------  ------  -------
1         user    any          udp 68    deny                                                                     Low
2         any     any          svc-dhcp  permit                                                                   Low
3         any     any          svc-icmp  redirect esi-group DMZ-Group direction forward                           Low
4         any     any          svc-dns   redirect esi-group DMZ-Group direction forward                           Low
5         any     any          svc-natt  redirect esi-group DMZ-Group direction forward                           Low

And I see the hits in the firewall

 

(controller) # show acl hits

User Role ACL Hits
------------------
Role         Policy               Src   Dst               Service    Action    Dest/Opcode  New Hits  Total Hits  Index
----         ------               ---   ---               -------    ------    -----------  --------  ----------  -----
guest-logon  guest-logon-control  any   any               svc-dhcp   permit                 0         37          8602
guest-logon  guest-logon-control  any   any               svc-icmp   redirect  4233         0         12          8603
guest-logon  guest-logon-control  any   any               svc-dns    redirect  4233         202       5366        8604

obviously I'm doing something wrong here, but can anyone advise?

 

Thanks

 

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

Can you post your entire controller config (or at least the relevant bits)?

 

Also, a network diagram would be useful. 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

What I am try to achieve is in the diagram below.

 

redirect esi.jpg

 

The relevant config is as such.

 

esi ping health-30sec
  frequency 30
  timeout 2
  retry-count 2
!
esi server DMZ-Gateway
  trusted-ip-addr 10.237.8.250
  untrusted-ip-addr 10.237.8.250
  mode route
!
esi group DMZ-Group
  ping health-30sec
  server DMZ-Gateway
!
interface vlan 8
	ip address 10.237.8.42 255.255.255.0
!
interface vlan 2
	ip address 10.237.2.244 255.255.255.0
	operstate up
!
interface vlan 192
	ip address 192.168.110.1 255.255.254.0
	ip nat inside
	operstate up
!
interface vlan 202
	ip address 10.242.202.1 255.255.254.0
	ip helper-address 10.237.2.2
	ip nat inside
	operstate up
!
ip access-list session guest-logon-control
  user any udp 68 deny 
  any any svc-dhcp permit 
  any any svc-icmp redirect esi-group DMZ-Group direction  forward 
  any any svc-dns redirect esi-group DMZ-Group direction  forward 
  any any svc-natt redirect esi-group DMZ-Group direction  forward 
!

 According to the UG, it says that, "If the controller is forwarding the packets at Layer-3, packets that exit the VLAN are given the IP address of the next-hop VLAN for their source IP address.".  Given that the esi rule is redirecting the traffic and hence routing out the DMZ interface, I would have expected the traffic to have a source address of that DMZ interface (and also since the controller-ip is the DMZ ip), but instead it has the corp address.

 

Now if I change the default route to point to the DMZ, it is then NAT'd with the correct source address, but that just gives me another headache with how to handle corp internet traffic.

 

:smileyfrustrated:


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

Would you be able to remove IP NAT inside from the interface on the controller?
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

it then comes out with a sources address of it's own ip, 192.168.111.x


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: