Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VPN and source-nat

This thread has been viewed 10 times

  • 1.  VPN and source-nat

    Posted Feb 02, 2012 10:20 AM
    Hello,

    I'm a total newbie with Aruba OS (less than 3 days).

    I'm trying to configure a 3400 controller to act as a VPN concentrator for distant users.

    I've got the following problem: I can't activate Source NAT in Advanced Services->VPN services->IPSEC

    Everytime i select "enable source nat" and give him a nat pool, when i come back on the same page, it stays desactivated

    ( "NO CHANGES WERE MADE")

    So, my distant users can establish the VPN, authenticate, they've got a private IP address  (pool-rap) assigned by the controller and so, can't communicate with other networks

     

    Any suggestion ? (and sorry if my question is trivial)

    o.p.

     

     

     

    Address Pools
    Pool Name Start Address End Address Actions
    pool-rap10.5.0.110.5.0.51
    Source NAT
    Enable Source NAT
    NAT Pooldynamic-srcnatpool-nat-vpn

     

     

     

     

     

      
      

    #3400


  • 2.  RE: VPN and source-nat

    Posted Feb 02, 2012 06:19 PM
    criecm.,
    What is the role that the distant users fall into? Does that role have the correct policies to pass traffic? 
    show rights <user-role>

     



  • 3.  RE: VPN and source-nat

    Posted Feb 03, 2012 06:09 AM

    here are the informations requested but I really don't understand why i can't check "source nat" in the web interface ...

    (ArubaOS 6.1.1.1 and 6.1.2.6)

     

    thanks for your first response.

     

     

    (aw) #show rights UR-SAUTE-VLAN

    Derived Role = 'UR-SAUTE-VLAN'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 47/0
     Max Sessions = 65535


    access-list List
    ----------------
    Position  Name      Location
    --------  ----      --------
    1         allowall  
    2         srcnat    

    allowall
    --------
    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     any          any      permit                           Low                                                           4
    2         any     any          any      permit                           Low                                                           6
    srcnat
    ------
    Priority  Source  Destination  Service  Action                     TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------                     ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any          any      src-nat pool pool-nat-vpn                           Low                                                           4

    Expired Policies (due to time constraints) = 0

    -------------

     



  • 4.  RE: VPN and source-nat

    EMPLOYEE
    Posted Feb 03, 2012 07:46 AM
    @criecm wrote:

    here are the informations requested but I really don't understand why i can't check "source nat" in the web interface ...

    (ArubaOS 6.1.1.1 and 6.1.2.6)

     

    thanks for your first response.

     

     

    (aw) #show rights UR-SAUTE-VLAN

    Derived Role = 'UR-SAUTE-VLAN'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 47/0
     Max Sessions = 65535


    access-list List
    ----------------
    Position  Name      Location
    --------  ----      --------
    1         allowall  
    2         srcnat    

    allowall
    --------
    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     any          any      permit                           Low                                                           4
    2         any     any          any      permit                           Low                                                           6
    srcnat
    ------
    Priority  Source  Destination  Service  Action                     TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------                     ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any          any      src-nat pool pool-nat-vpn                           Low                                                           4

    Expired Policies (due to time constraints) = 0

    -------------

     

    You need to remove the allowall.  All traffic is hitting that and never gets source-natted, as a result.

     



  • 5.  RE: VPN and source-nat

    Posted Feb 03, 2012 11:05 AM

    I've removed it and ... nothing, i still see packets coming from my private network 10.5.0.0, not being natted with the public controller IP address.

     

    Other questions:

    in the VPN configuration web interface, i have to define a local IP pool. that's where I've defined the 10.5.0.0/24 adresses

    and I've defined a NAT pool ( pool-nat-vpn: 10.6.0.0/24).

    As I can't enable source-nat, i can't assign this NAT pool to clients and so, clients got 10.5.0.0/24 address assigned and are never natted.

     

    -Could you please just try to define a nat-pool, assign it to the VPN conf and  enable source nat in the VPN conf GUI ?

    -do you know how could i do the same thing with the CLI ? (assign a nat pool and enable source nat in the VPN conf) ?

     

    thanks again

     

     



  • 6.  RE: VPN and source-nat

    EMPLOYEE
    Posted Feb 03, 2012 12:22 PM
    @criecm wrote:

    I've removed it and ... nothing, i still see packets coming from my private network 10.5.0.0, not being natted with the public controller IP address.

     

    Other questions:

    in the VPN configuration web interface, i have to define a local IP pool. that's where I've defined the 10.5.0.0/24 adresses

    and I've defined a NAT pool ( pool-nat-vpn: 10.6.0.0/24).

    As I can't enable source-nat, i can't assign this NAT pool to clients and so, clients got 10.5.0.0/24 address assigned and are never natted.

     

    -Could you please just try to define a nat-pool, assign it to the VPN conf and  enable source nat in the VPN conf GUI ?

    -do you know how could i do the same thing with the CLI ? (assign a nat pool and enable source nat in the VPN conf) ?

     

    thanks again

     

     

    The nat pool must be tied to a physical or logical ip interface that is already on the controller.  For example, if the egress interface of the controller is 10.5.0.1, I want a nat pool that is 10.5.0.1 to 10.5.0.1 to nat all traffic out of 10.5.0.1

     

     



  • 7.  RE: VPN and source-nat

    Posted Feb 17, 2012 08:41 AM

    sorry for this long silence, i was out of the office for a week.

     

    I've done source nat as you recommend it but i still don't undersdand why i can't check source-nat in the VPN config interface ...

     

    thanks again



  • 8.  RE: VPN and source-nat

    EMPLOYEE
    Posted Feb 17, 2012 08:53 AM
    @criecm wrote:

    sorry for this long silence, i was out of the office for a week.

     

    I've done source nat as you recommend it but i still don't undersdand why i can't check source-nat in the VPN config interface ...

     

    thanks again

    That source-nat button is a legacy button when we only had a single configuration for VPN connectivity.  Your specific VPN configuration is now done using the role as was described.



  • 9.  RE: VPN and source-nat

    EMPLOYEE
    Posted Feb 17, 2012 02:04 PM

     

    This is what the source-NAT button does:

     

    user-role "default-vpn-role"
 session-acl "srcnat" position 1
!
ip access-list session "srcnat"
 user any any src-nat pool "dynamic-srcnat" position 1
!

     

    If you're not using "default-vpn-role" then the UI feature won't work.  It's really just a convenience feature that inserts the "user any any src-nat" rule into a firewall policy - you can do the same thing manually, and it appears to me that you have to if you're using a custom role.