Wireless Access

Reply
Occasional Contributor II

VPN IPSec and NAT on a 3200 controller

Hi guys, 

i´m really stuck on trying to reach all my vlans on my 3200 controller via VPN Ipsec. Hope to get some help here.

 

My configuration is this:

controller ip :172.16.0.254

vlan 10 192.168.0.0

vlan 20 10.1.99.0

 

IPSEC pool: 192.168.0.240-254 

Role: default vpn role. ( i removed the allow all and added the src-nat: user any any src-nat)

I connect and get 192.168.0.x adress. Router adress 172.16.0.254

I am trying to reach the 10.1.99.0 network but can´t.  

 

Appreciate some help, i´m kinda of new to this.

 

Thanks!

 

Frequent Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Just to clarify, you're trying to VPN from a device to the controller, correct? Your VPN client says you're connected, but yet you cannot reach the 10.1.99.0 network once connected?

Network Engineer | Airhead | Titus 3:5
Occasional Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Yes that is correct

Frequent Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Check your vpn user role to make sure that your first ACL is "any any src-nat <pool>". If you haven't already, you'll need to create a source nat pool that includes an IP address on your controller that your VPN users will be NAT'd by.

 

I don't recall if this is absolutely necessary, but I also included a "permit any any" AFTER the src-nat ACL. Working fine for me.

Network Engineer | Airhead | Titus 3:5
Occasional Contributor II

Re: VPN IPSec and NAT on a 3200 controller

My first ACL is any any src-nat .I made a nat pool :

Start IP Address 192.168.0.240

end ip 192.168.0.254
Destination NAT IP Address 10.1.99.1

 

Then added the permit any any, but not working.

Is the Nat pool correctly set up? 

Should i select the "Used by VPN" also? 

 

Permit any any is at the end.

Frequent Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Close, but the NAT pool actually just needs to be a single IP address. In other words, the starting & ending IP should be the same IP on the controller that you want traffic to be NAT'd out of. Also, the destination IP should be the same single IP.

 

I'd like to better understand why the nat pool has to be configured like that, but I do know that it works.

Network Engineer | Airhead | Titus 3:5
Occasional Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Huh..so i have to put starting,ending and dest to nat adress to 10.1.99.1?

 

Frequent Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Yes. That will probably be your egress interface IP address.

Network Engineer | Airhead | Titus 3:5
Occasional Contributor II

Re: VPN IPSec and NAT on a 3200 controller

Doesnt work. I tried also selecting the "used by vpn" option, but same results

Aruba

Re: VPN IPSec and NAT on a 3200 controller

Have you tried to enable source nat on the VPN settings?

 

aos-vpn-nat.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: