The controller will change the client source IP to one address from the nat pool (mypool). You probably will need a different pool for each of your controllers and route that pool back to the controller from your router/firewall such that return traffic will get to the right controller. Also make sure that the DNS/DHCP are reachable for the NAT-ted traffic. You may need an IP address on the controller in the VLAN on which you want to perform the NAT in order to get the traffic back.
I don't have recent experience with NAT on a gateway, so if it doesn't work and packet captures (does the traffic actually NAT, does it go out on the right interface/VLAN, is there return traffic, does that get NATted back) does not help, working with Aruba TAC may be helpful.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 20, 2023 06:07 AM
From: cauliflower
Subject: src-nat on user role
Hello,
First time trying to do this so looking for a little guidance (or link to helpful docs).
We want to src-nat a particular user role on our Guest (captive portal) SSID. These particular guest users would authenticate via Azure (this is working) and ClearPass sends back a special role, this role exists on the AOS 8.10 cluster. That much seems to work. I have added a pool and a line to an ACL in the role:
ip nat pool mypool x.x.x.x x.x.x.x
user-role specialpeople
user any any src-nat pool mypool log
I can connect and I get the right role but then no internet. Am I missing a step? The other question I have is about the pool - do those addresses need to exist as interfaces on the controller, or just be routable from the cluster, what are the rules for choosing the pool addresses?
Guy