Wireless Access

Reply
Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

When routing between two vlans configured with "ip nat inside", all traffic is nat'd

This behavior seems undesirable. If both vlans are "inside" to the controller, why must all packets get nat'd between them? Is there any way around this?

 

Currently i have two controllers that are connected to each other and i would like to route between vlans 1 and 2 without nat taking place. All three vlans are marked as nat inside, but all traffic from end user vlans is presented as the closest controllers IP address.

 

VLAN 10 = 10.1.0.0 / 16

VLAN 20 = 192.168.20.0 / 24

VLAN 4090 = 172.16.0.16/29

 

VLAN10 <---> Controller 1 <----> VLAN 4090 <----> Controller 2 <----> VLAN 20

 

A ping running from vlan 20 client 192.168.20.20 destined for vlan 10 10.1.30.17 arrives at the client with the source IP of Controller 1s vlan 10 interface.

 

10:00:08.039516 IP 10.1.0.1 > 10.1.30.17: ICMP echo request, id 1, seq 176, length 40
10:00:08.039572 IP 10.1.30.17 > 10.1.0.1: ICMP echo reply, id 1, seq 176, length 40

 

Any ideas? Maybe a firewall policy that will shove traffic to be nat'd one way while "internal" traffic does not get nat'd and is allowed to route? I know other vendors used a "nat outside" statement on external facing interfaces, kinda wish i had that for the interface i need to nat out of.

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

[ Edited ]

Something is wrong here.  You should not need that...

 

Whats the default gateway of the controllers?

 

Do you have it like it? or do you have a L3 swtich connected to any of those controllers?

 

Thats your enviroment? no tother things are connected to the controllers???? L3 swtich or anything? because this is a routing issue and i would need a picture of everything to help you to fix it...

 

You should have something like this, thinking its just that 2 controlelrs connnected each other and nothign else.

 

 

VLAN10 <---> Controller 1 <----> VLAN 4090 <----> Controller 2 <----> VLAN 20

 

Default gateway of controller 1 should be ponting to the controller 2 VLAN 4090 ip address

Default gateway of controller 2 should be pointing to the controllers 1 VLAN 4090 ip address.

 

You should take out the check box of nat and you should enable routing  on vlan 10 and vlan 20 checkbox and also on vlan 4090 interface vlans, on both controller and it should work.

 

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

sorry, i didn't put all the other information in trying to keep it simple. the controllers both have their own default gateway pointing out to the world through a different vlan - 4092 which pulls an ip from their respective ISPs and where i would usually put an ip nat outside statement in other vendors. both vlans 10 and 20 should go out their closest controller as their default gateway headed towards the world.

 

 

                                  ISP <--------------Internet---------------> ISP

                                    |                                                                |

                           VLAN 4092                                         VLAN 4092

                                    |                                                                |

VLAN10 <---> Controller 1 <----> VLAN 4090 <----> Controller 2 <----> VLAN 20

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd


james.vaught wrote:

This behavior seems undesirable. If both vlans are "inside" to the controller, why must all packets get nat'd between them? Is there any way around this?

 

Currently i have two controllers that are connected to each other and i would like to route between vlans 1 and 2 without nat taking place. All three vlans are marked as nat inside, but all traffic from end user vlans is presented as the closest controllers IP address.

 

VLAN 10 = 10.1.0.0 / 16

VLAN 20 = 192.168.20.0 / 24

VLAN 4090 = 172.16.0.16/29

 

VLAN10 <---> Controller 1 <----> VLAN 4090 <----> Controller 2 <----> VLAN 20

 

A ping running from vlan 20 client 192.168.20.20 destined for vlan 10 10.1.30.17 arrives at the client with the source IP of Controller 1s vlan 10 interface.

 

10:00:08.039516 IP 10.1.0.1 > 10.1.30.17: ICMP echo request, id 1, seq 176, length 40
10:00:08.039572 IP 10.1.30.17 > 10.1.0.1: ICMP echo reply, id 1, seq 176, length 40

 

Any ideas? Maybe a firewall policy that will shove traffic to be nat'd one way while "internal" traffic does not get nat'd and is allowed to route? I know other vendors used a "nat outside" statement on external facing interfaces, kinda wish i had that for the interface i need to nat out of.


James,

 

This is the definition of "ip nat inside" on every other firewall platform.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

Okay so basically both controller and on the same site?

but each controller got their own internet?

 

If the default gateway is pointing to vlan 4092 all you have to do is adding a route in the routing table which tell the controller for example

 

On controller 1:

192.168.20.0 / 24 via VLAN 4090 ip address of the controller 2

 

On controller 2

10.1.0.0 / 16 via VLAN 4090 ip address of the controller 1

 

You missing the routes on the ip route table.

 

 

As far im understanding you want to reach vlan 10 and vlan 20 between each controller without natting you want to reach it routing it.... but going  through the vlan 4090. 

I am righ in what you want to do?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

Colin,

I get it. I'm not saying you are doing ip nat inside wrong perse, but am looking for a way around the way it works. Seems that nat should only be applied after the packet has been routed and determined that it is leaving an interface that it needs nat on. ip nat outside would be ideal.

 

NightShade,

The routes are definately there being shared by ospf... It's not an issue of the traffic not knowing where to go, it's an issue of when the traffic gets nat'd.

 

Controller 1

S* 0.0.0.0/0 [1/0] via 50.21.205.1*
O 10.0.0.0/16 [2/0] via 172.16.0.22*
O 192.168.20.0/24 [2/0] via 172.16.0.22*
C 10.1.0.0/16 is directly connected, VLAN10
C 50.21.205.0/24 is directly connected, VLAN4092
C 172.16.0.16/29 is directly connected, VLAN4090

 

Controller 2

S* 0.0.0.0/0 [1/0] via 208.117.126.9*
O 10.1.0.0/16 [2/0] via 172.16.0.17*
C 208.117.126.8/29 is directly connected, VLAN4092
C 192.168.20.0/24 is directly connected, VLAN20
C 172.16.0.16/29 is directly connected, VLAN4090

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

Jim,

 

Why don't you have a single device, external to the controller do the natting, so that you can have control over this, then?

 

The way around this (more complicated) is to have Natting be done by the user role on that subnet, so if traffic is going to a private subnet, just permit, but if traffic is going any where else, Nat it.  IP Nat inside was designed to easily Nat traffic for some subnets and not others at the interface level.  If you need more granularity, use the user's role to do this.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

[ Edited ]

I was misunderstanding your point sorry.

 

I think the same way that Collin does... just have an external device doing the nating so you can get control over that
It seems you got the Controller plugged directly to the internet which is not recommended by any way... Controllers are not a security Device.... if you are able get a firewall, it will do the nat for just the packets going outsite and you will get your routing without natting inside your network.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

Some of this traffic is wired as well. how about a firewall policy applied to the ingress interface?

Frequent Contributor I
Posts: 70
Registered: ‎04-06-2007

Re: When routing between two vlans configured with "ip nat inside", all traffic is nat'd

wait a sec... "controllers are not a security device" when i always hear eal firewall etc?

Search Airheads
Showing results for 
Search instead for 
Did you mean: