Wireless Access

Reply
Occasional Contributor II

VPN and source-nat

Hello,

I'm a total newbie with Aruba OS (less than 3 days).

I'm trying to configure a 3400 controller to act as a VPN concentrator for distant users.

I've got the following problem: I can't activate Source NAT in Advanced Services->VPN services->IPSEC

Everytime i select "enable source nat" and give him a nat pool, when i come back on the same page, it stays desactivated

( "NO CHANGES WERE MADE")

So, my distant users can establish the VPN, authenticate, they've got a private IP address  (pool-rap) assigned by the controller and so, can't communicate with other networks

 

Any suggestion ? (and sorry if my question is trivial)

o.p.

 

 

 

Address Pools
Pool Name Start Address End Address Actions
pool-rap10.5.0.110.5.0.51
Source NAT
Enable Source NAT
NAT Pooldynamic-srcnatpool-nat-vpn

 

 

 

 

 

  
  
Retired Employee

Re: VPN and source-nat

criecm.,
What is the role that the distant users fall into? Does that role have the correct policies to pass traffic? 
show rights <user-role>

 

--
HT
Occasional Contributor II

Re: VPN and source-nat

here are the informations requested but I really don't understand why i can't check "source nat" in the web interface ...

(ArubaOS 6.1.1.1 and 6.1.2.6)

 

thanks for your first response.

 

 

(aw) #show rights UR-SAUTE-VLAN

Derived Role = 'UR-SAUTE-VLAN'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 47/0
 Max Sessions = 65535


access-list List
----------------
Position  Name      Location
--------  ----      --------
1         allowall  
2         srcnat    

allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
srcnat
------
Priority  Source  Destination  Service  Action                     TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------                     ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          any      src-nat pool pool-nat-vpn                           Low                                                           4

Expired Policies (due to time constraints) = 0

-------------

 

Guru Elite

Re: VPN and source-nat


criecm wrote:

here are the informations requested but I really don't understand why i can't check "source nat" in the web interface ...

(ArubaOS 6.1.1.1 and 6.1.2.6)

 

thanks for your first response.

 

 

(aw) #show rights UR-SAUTE-VLAN

Derived Role = 'UR-SAUTE-VLAN'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 47/0
 Max Sessions = 65535


access-list List
----------------
Position  Name      Location
--------  ----      --------
1         allowall  
2         srcnat    

allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
srcnat
------
Priority  Source  Destination  Service  Action                     TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------                     ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          any      src-nat pool pool-nat-vpn                           Low                                                           4

Expired Policies (due to time constraints) = 0

-------------

 


You need to remove the allowall.  All traffic is hitting that and never gets source-natted, as a result.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: VPN and source-nat

I've removed it and ... nothing, i still see packets coming from my private network 10.5.0.0, not being natted with the public controller IP address.

 

Other questions:

in the VPN configuration web interface, i have to define a local IP pool. that's where I've defined the 10.5.0.0/24 adresses

and I've defined a NAT pool ( pool-nat-vpn: 10.6.0.0/24).

As I can't enable source-nat, i can't assign this NAT pool to clients and so, clients got 10.5.0.0/24 address assigned and are never natted.

 

-Could you please just try to define a nat-pool, assign it to the VPN conf and  enable source nat in the VPN conf GUI ?

-do you know how could i do the same thing with the CLI ? (assign a nat pool and enable source nat in the VPN conf) ?

 

thanks again

 

 

Guru Elite

Re: VPN and source-nat


criecm wrote:

I've removed it and ... nothing, i still see packets coming from my private network 10.5.0.0, not being natted with the public controller IP address.

 

Other questions:

in the VPN configuration web interface, i have to define a local IP pool. that's where I've defined the 10.5.0.0/24 adresses

and I've defined a NAT pool ( pool-nat-vpn: 10.6.0.0/24).

As I can't enable source-nat, i can't assign this NAT pool to clients and so, clients got 10.5.0.0/24 address assigned and are never natted.

 

-Could you please just try to define a nat-pool, assign it to the VPN conf and  enable source nat in the VPN conf GUI ?

-do you know how could i do the same thing with the CLI ? (assign a nat pool and enable source nat in the VPN conf) ?

 

thanks again

 

 


The nat pool must be tied to a physical or logical ip interface that is already on the controller.  For example, if the egress interface of the controller is 10.5.0.1, I want a nat pool that is 10.5.0.1 to 10.5.0.1 to nat all traffic out of 10.5.0.1

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: VPN and source-nat

sorry for this long silence, i was out of the office for a week.

 

I've done source nat as you recommend it but i still don't undersdand why i can't check source-nat in the VPN config interface ...

 

thanks again

Guru Elite

Re: VPN and source-nat


criecm wrote:

sorry for this long silence, i was out of the office for a week.

 

I've done source nat as you recommend it but i still don't undersdand why i can't check source-nat in the VPN config interface ...

 

thanks again


That source-nat button is a legacy button when we only had a single configuration for VPN connectivity.  Your specific VPN configuration is now done using the role as was described.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator

Re: VPN and source-nat

 

This is what the source-NAT button does:

 

user-role "default-vpn-role"
 session-acl "srcnat" position 1
!
ip access-list session "srcnat"
 user any any src-nat pool "dynamic-srcnat" position 1
!
 

 

If you're not using "default-vpn-role" then the UI feature won't work.  It's really just a convenience feature that inserts the "user any any src-nat" rule into a firewall policy - you can do the same thing manually, and it appears to me that you have to if you're using a custom role.

 

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: