Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
There is some confusion when the user trying to configure a range of IP address for a NAT pool. The user always notices that all users are sharing only the first IP address in the NAT pool and wonders when and how to use the rest of the public IPs.
In the current ArubaOS implementation, all TCP and UDP communications are src-nat only with the first IP address of the NAT pool. Only the IP packets that are not TCP nor UDP, such as ESP and GRE, are NATed to the other IP address.
Now the question is how can the customer configure many-to-many src-nat for a large pool of private IP addresses? The simple answer is to use multiple single-address NAT pools and set up different user roles to apply the firewall policies among the entire wireless user population.
This example distributes clients to three NAT pools based on the last digit of the user-name:
ip nat pool public-1 210.3.2.1 210.3.2.1
ip nat pool public-2 210.3.2.1 210.3.2.2
ip nat pool public-3 210.3.2.1 210.3.2.3
ip access-list session dhcp-acl
any any svc-dhcp permit
!
ip access-list session cplogout
user alias mswitch svc-https dst-nat
!
ip access-list session src-nat-1-acl
user any any src-nat pool public-1
!
ip access-list session src-nat-2-acl
user any any src-nat pool public-2
!
ip access-list session src-nat-3-acl
user any any src-nat pool public-3
!
user-role authd-user-public1-role
session-acl dhcp-acl
session-acl cplogout
session-acl src-nat-1-acl
!
user-role authd-user-public2-role
session-acl dhcp-acl
session-acl cplogout
session-acl src-nat-3-acl
!
user-role authd-user-public3-role
session-acl dhcp-acl
session-acl cplogout
session-acl src-nat-3-acl
!
aaa server-group cp-auth-captiveportal
set role condition User-Name ends-with 1 set-value authd-user-public1-role
set role condition User-Name ends-with 2 set-value authd-user-public2-role
set role condition User-Name ends-with 3 set-value authd-user-public3-role
!