Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

NAT Issue - Arbua Controller showing at Destination is Web filter

  • 1.  NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 10:13 AM

    I have an Aruba controller, Aruba7005-US, running version 6.4.3.2.

    I have web filter that filters the web traffic from both wired and wireless networks. I'm having trouble distinguishing the wireless traffic from the wired traffic.

     

    The wireless traffic from the wireless clients are showing in the web filter's web log as the management IP of the wireless controller rather than the IP of the wireless device.

     

    Is there a way I can have the Aruba controller pass the IP address of the wireless device? The wired subnet is 10.1.10.0/24 and the wireless is 172.16.0.0/24.



  • 2.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 10:21 AM

    That is because you have "ip nat inside" on your guest VLAN in the controller.

     

    You need to remove that statement and have a route in your network pointing to the controller's management ip address for the guest subnet.



  • 3.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 12:40 PM

    Colin,

     

    Thank you.  Can you give me a little more detail about how to make "a route in your network pointing to the controller's management ip address for the guest subnet?"

     

     

     



  • 4.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 01:04 PM

    Question:  Does you or someone else manage your wired network (switches and routers)?



  • 5.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 05:07 PM

    I manager them all.  I'm new to Aruba. The Ariba OS and GUI are a little foreign to me. 

     

    I already made a route in the web filter to filter the traffic on the wireless subnets. 

     

     



  • 6.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 05:11 PM

    Allright.  This has more to do with your infrastructure than the wireless.  What device is the default gateway of 10.1.10.0/24?  That device needs a route pointing to the controller's ip address for the guest subnet 172.16.0.0/24 

     

    After you do that, you need to uncheck "ip nat inside" (turn off natting) on the guest VLAN on the Aruba Controller by doing this:

     

    config t

    interface vlan x

    no ip nat inside

    exit

     

    After you do those two things, your web filter should be able to see the source ip addresses of your guest clients.  We will have to add an ACL on your guest role in the  Aruba Controller to block access to your internal subnets, however.



  • 7.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 05:30 PM

    The gatway is a firewall. 10.1.10.x

    The Aruba Controller Management IP is 10.1.10.x

    There are 3  VLANS on the controller are:

     

    Trusted VLAN 1- 10.x.x.x/24

    Default VLAN 2- Tristed Wireless devices 172.x.x.x/24

    Guest VLAN 3- 192.x.x./24

     

    - There is already an ACL between the the Guest VLAN and the other two.
    - Traffic  on VLAN 1 and 2 are allowed to communicate to each others network.

     

    **Note**

    VLAN 1 gets DHCP from Domain Controller

    VLAN 2 has DHCP enabled

    VLAN 3 has DHCP enabled

     

    My original question pretained to VLAN2. The Guest VLAN is not in the picture at the moment, but I will want to montor that network as well.

     

     

    Moving on, i'm confirming that you are directing me to make a route from the gateway 10.x.x.x/24 to the managment IP of the Controller 10.x.x.x or to the VLAN 2 gateway 172.x.x.x?

     

    *lest save the VLAN 3 out of the picture until I get VLAN 2 setup.

     

     

     

     

     

     

     



  • 8.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 22, 2016 05:59 PM

    You need a route on your firewall pointing to the controller's management ip address for the subnet 172.16.x.x/24.  That will allow traffic returning from the internet to find the 172.16.x.x trusted wireless subnet.  Also, your firewall will also need to allow traffic to be natted from the 172.16.x.x subnet to allow it to go to the internet....



  • 9.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 24, 2016 11:06 AM

    In the case that I make a mistake what are the commands I need to reverse:

     

    config t

    interface vlan x

    no ip nat inside

    exit

     

    ALso what are the commands to write the config to the running config. 

    Thank you.

     



  • 10.  RE: NAT Issue - Arbua Controller showing at Destination is Web filter

    Posted Aug 24, 2016 11:17 AM

    So, I want to suggest you call TAC, because while I can give you advice here, I might not have the full picture and that would lead to giving you bad advice.

     

    To reverse, I would do

     

    config t

    interface vlan x

    ip nat inside

    write mem