Wireless Access

Reply
MVP
Posts: 757
Registered: ‎03-25-2009

(route) dst-nat to proxy without changing route?

[ Edited ]

Hi,

 

We've got a situation where we need to redirect guest traffic towards a proxy in a different subnet.

The proxy is on an internal subnet. The default gateway for the guests is a firewall that specifically allows this traffic.

 

We've implemented a simple dst-nat to the proxy policy in the user-role which does the trick except for 1 issue.

 

The problem is that guest-traffic is pulled out of the guest vlan and routed (using the controllers routing table) over the internal LAN. This arrives at the firewall which sees it as guest traffic coming from an internal interface and drops it.

 

Is there a way to achieve this without changing the routing table of the controller?

 

I looked at the "route dst-nat" option which from the description appears to be exactly what I need but I cannot seem to enter my dst address (or the next hop) anywhere?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 20,810
Registered: ‎03-29-2007

Re: (route) dst-nat to proxy without changing route?

You could use the little-known ESI redirect.

 

Put the "redirect" session acl in your role for the redirect to work:

 

esi ping health-30sec
  frequency 30
  timeout 1
  retry-count 2
!
esi server friendly-name-of-proxy-server
  mode route
  trusted-ip-addr 192.168.1.50 (proxy ip address)
  untrusted-ip-addr 192.168.1.50 (proxy ip address again)
!
esi group proxy-group
  ping health-30sec
  server friendly-name-of-proxy-server
!


ip access-list session "redirect"
   any any any redirect esi-group "proxy-group" direction forward 
!

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: