Wireless Access

Reply
Occasional Contributor II

VPN and source-nat

Hello,

I'm a total newbie with Aruba OS (less than 3 days).

I'm trying to configure a 3400 controller to act as a VPN concentrator for distant users.

I've got the following problem: I can't activate Source NAT in Advanced Services->VPN services->IPSEC

Everytime i select "enable source nat" and give him a nat pool, when i come back on the same page, it stays desactivated

( "NO CHANGES WERE MADE")

So, my distant users can establish the VPN, authenticate, they've got a private IP address  (pool-rap) assigned by the controller and so, can't communicate with other networks

 

Any suggestion ? (and sorry if my question is trivial)

o.p.

 

 

 

Address Pools
Pool Name Start Address End Address Actions
pool-rap10.5.0.110.5.0.51
Source NAT
Enable Source NAT
NAT Pooldynamic-srcnatpool-nat-vpn

 

 

 

 

 

  
  
Retired Employee

Re: VPN and source-nat

criecm.,
What is the role that the distant users fall into? Does that role have the correct policies to pass traffic? 
show rights <user-role>

 

--
HT
Occasional Contributor II

Re: VPN and source-nat

here are the informations requested but I really don't understand why i can't check "source nat" in the web interface ...

(ArubaOS 6.1.1.1 and 6.1.2.6)

 

thanks for your first response.

 

 

(aw) #show rights UR-SAUTE-VLAN

Derived Role = 'UR-SAUTE-VLAN'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 47/0
 Max Sessions = 65535


access-list List
----------------
Position  Name      Location
--------  ----      --------
1         allowall  
2         srcnat    

allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
srcnat
------
Priority  Source  Destination  Service  Action                     TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------                     ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          any      src-nat pool pool-nat-vpn                           Low                                                           4

Expired Policies (due to time constraints) = 0

-------------

 

Guru Elite

Re: VPN and source-nat


criecm wrote:

here are the informations requested but I really don't understand why i can't check "source nat" in the web interface ...

(ArubaOS 6.1.1.1 and 6.1.2.6)

 

thanks for your first response.

 

 

(aw) #show rights UR-SAUTE-VLAN

Derived Role = 'UR-SAUTE-VLAN'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 47/0
 Max Sessions = 65535


access-list List
----------------
Position  Name      Location
--------  ----      --------
1         allowall  
2         srcnat    

allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
srcnat
------
Priority  Source  Destination  Service  Action                     TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------                     ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          any      src-nat pool pool-nat-vpn                           Low                                                           4

Expired Policies (due to time constraints) = 0

-------------

 


You need to remove the allowall.  All traffic is hitting that and never gets source-natted, as a result.

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: VPN and source-nat

I've removed it and ... nothing, i still see packets coming from my private network 10.5.0.0, not being natted with the public controller IP address.

 

Other questions:

in the VPN configuration web interface, i have to define a local IP pool. that's where I've defined the 10.5.0.0/24 adresses

and I've defined a NAT pool ( pool-nat-vpn: 10.6.0.0/24).

As I can't enable source-nat, i can't assign this NAT pool to clients and so, clients got 10.5.0.0/24 address assigned and are never natted.

 

-Could you please just try to define a nat-pool, assign it to the VPN conf and  enable source nat in the VPN conf GUI ?

-do you know how could i do the same thing with the CLI ? (assign a nat pool and enable source nat in the VPN conf) ?

 

thanks again

 

 

Guru Elite

Re: VPN and source-nat


criecm wrote:

I've removed it and ... nothing, i still see packets coming from my private network 10.5.0.0, not being natted with the public controller IP address.

 

Other questions:

in the VPN configuration web interface, i have to define a local IP pool. that's where I've defined the 10.5.0.0/24 adresses

and I've defined a NAT pool ( pool-nat-vpn: 10.6.0.0/24).

As I can't enable source-nat, i can't assign this NAT pool to clients and so, clients got 10.5.0.0/24 address assigned and are never natted.

 

-Could you please just try to define a nat-pool, assign it to the VPN conf and  enable source nat in the VPN conf GUI ?

-do you know how could i do the same thing with the CLI ? (assign a nat pool and enable source nat in the VPN conf) ?

 

thanks again

 

 


The nat pool must be tied to a physical or logical ip interface that is already on the controller.  For example, if the egress interface of the controller is 10.5.0.1, I want a nat pool that is 10.5.0.1 to 10.5.0.1 to nat all traffic out of 10.5.0.1

 

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor II

Re: VPN and source-nat

sorry for this long silence, i was out of the office for a week.

 

I've done source nat as you recommend it but i still don't undersdand why i can't check source-nat in the VPN config interface ...

 

thanks again

Guru Elite

Re: VPN and source-nat


criecm wrote:

sorry for this long silence, i was out of the office for a week.

 

I've done source nat as you recommend it but i still don't undersdand why i can't check source-nat in the VPN config interface ...

 

thanks again


That source-nat button is a legacy button when we only had a single configuration for VPN connectivity.  Your specific VPN configuration is now done using the role as was described.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Moderator

Re: VPN and source-nat

 

This is what the source-NAT button does:

 

user-role "default-vpn-role"
 session-acl "srcnat" position 1
!
ip access-list session "srcnat"
 user any any src-nat pool "dynamic-srcnat" position 1
!
 

 

If you're not using "default-vpn-role" then the UI feature won't work.  It's really just a convenience feature that inserts the "user any any src-nat" rule into a firewall policy - you can do the same thing manually, and it appears to me that you have to if you're using a custom role.

 

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: