How should I configure NAT for wireless user?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and all ArubaOS with PEF license.


The two different approaches to setting up NAT for wireless users on ArubaOS are:

  •     Using firewall policy:  works on any version of ArubaOS with PEF license only.
  •     Using "interface vlan X ip nat inside”:  works with ArubaOS 2.5.2 and later.


When using firewall policy to provide source-nat service to the user, be aware of these important points:

1)     Some applications should never be used with NAT, for example, DHCP and HTTP/HTTPS to Aruba's captive portal. If you forget to allow these protocols to pass without NAT, it may cause IP renew issues or user may not be able to log out.

2)     For captive portal to work, you should ensure that the client can reach the DNS server, which may require src-nat.

3)     Avoid "any any any src-nat" as this may create incorrect behavior, for example, IP packets with both src and dst IP address matched to same address. The proper way is to use "user" or "network" in the source field of the policy instead of using "any".  Moreover, communications with src-nat can only be initiated from private to public, but not the reverse. The "any" source is logically improper for any src-nat environment.


For example, the minimal user logon role for a guest SSID would be:


ip access-list session guest-pre-logon-acl

 any any svc-dhcp permit

 user any svc-dns src-nat



ip access-list session captiveportal

 user alias mswitch svc-https dst-nat

 user any svc-http dst-nat 8080

 user any svc-https dst-nat 8081



user-role guest-pre-logon-role

 session-acl guest-pre-logon-acl

 session-acl captiveportal



The minimal src-nat policy setting for authenticated guest user would be:


ip access-list session guest-user-acl

 any any svc-dhcp permit

 user alias mswitch svc-https dst-nat

 user any any src-nat



user-role guest-user-role

 session guest-user-acl


Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 04:54 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: