For split tunnel, you should only do Source NAT for the local breakout traffic (route + snat); for the central traffic, you just do a Permit, without NAT.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 29, 2021 10:44 AM
From: Aria Adhiguna
Subject: Firewall reads Controller IP and not client IP
Hi Herman,
Correct me if im wrong, but don't we need to use Source NAT on Split Tunnel deployments?
Also you mean that its possible for the traffic to not get NATed and for the firewall to see the real IP right?
------------------------------
Aria Adhiguna
Original Message:
Sent: Nov 29, 2021 10:07 AM
From: Herman Robers
Subject: Firewall reads Controller IP and not client IP
Then probably you have source NAT configured somewhere either on the VLANs or on the roles. Best to go through your configuration with your partner or Aruba support.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 29, 2021 12:07 AM
From: Aria Adhiguna
Subject: Firewall reads Controller IP and not client IP
Hi, our customer have a deployment of 7010 and a few RAPs. The 7010 is on the data center, but the client traffic that goes through firewall only gives the IP of the controller itself, and not the clients, therefore, the Firewall cannot enforce the rules.
Is there any way to solve this?
------------------------------
Aria Adhiguna
------------------------------