09-05-2013 01:44 AM - edited 09-05-2013 01:44 AM
We've got a situation where we need to redirect guest traffic towards a proxy in a different subnet.
The proxy is on an internal subnet. The default gateway for the guests is a firewall that specifically allows this traffic.
We've implemented a simple dst-nat to the proxy policy in the user-role which does the trick except for 1 issue.
The problem is that guest-traffic is pulled out of the guest vlan and routed (using the controllers routing table) over the internal LAN. This arrives at the firewall which sees it as guest traffic coming from an internal interface and drops it.
Is there a way to achieve this without changing the routing table of the controller?
I looked at the "route dst-nat" option which from the description appears to be exactly what I need but I cannot seem to enter my dst address (or the next hop) anywhere?
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
09-05-2013 03:47 AM
You could use the little-known ESI redirect.
Put the "redirect" session acl in your role for the redirect to work:
esi ping health-30sec frequency 30 timeout 1 retry-count 2 ! esi server friendly-name-of-proxy-server mode route trusted-ip-addr 192.168.1.50 (proxy ip address) untrusted-ip-addr 192.168.1.50 (proxy ip address again) ! esi group proxy-group ping health-30sec server friendly-name-of-proxy-server ! ip access-list session "redirect" any any any redirect esi-group "proxy-group" direction forward !
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base