How to NAT and redirect of specific traffic using ACL on Aruba controller if Aruba controller is not the gateway for the client

Aruba Employee
Aruba Employee

Introduction  :  

  As per the below topology we have clients associating to Vlan 2 and their gateway is Firewall. Also, the controller gateway is defined on the firewall. We have a server in Vlan-x which is only routable to controller interface IP. We would like to send specific traffic to the server. As the gateway for the clients is Firewall so IP NAT Inside cannot be used. Also, normal ACL to src-nat cannot be used as the traffic would be bridged to the gateway of the client which is firewall.
A practical implementation for this would be, if we have captive portal server as server ( in topology ) and client just have to communicate with the server on HTTP/HTTPS.
In order to achieve this we could configure the server as ESI server and use the NAT+Redirect option in the ACL
Environment  :  This article applies to AOS version 6.1 and above
Configuration Steps  :  
  1. We can create an ESI server, where we could use the server IP as ESI server. For example I used as server. As we have to route the traffic we need to use route mode
esi ping Aruba
  frequency 30
  timeout 1
  retry-count 2
esi server Aruba
  mode route
esi group Aruba
  ping Aruba
  server Aruba
2. Once the ESI configuration are done we need to create a NAT POOL with start and end IP as the controller interface IP, which we would need as source IP for the traffic destined to the server.
(Aruba-2) #show ip nat pool
NAT Pools
Name            Start IP      End IP        DNAT IP  Flags
----            --------      ------        -------  -----
3. We could use below ACL to redirect and NAT the guest users traffic
user      host        svc-https/http      redirect esi-group Aruba direction forward src-nat pool internal
Answer :  
  As the gateway for the client is not controller, by design controller bridge the traffic. If we do not have route between the server on client's vlan, we would need to NAT+Redirect the traffic of the client to the server using one of the routable 
interface on the controller. This could not be achieved by using only src-nat ACL. We have to configure the server as ESI server in route mode and  use the acl to redirect and NAT specific traffic.
Verification  :  I have used RDP to demonstrate the TCP session

Client IP :
Server :

(Aruba-2) #show datapath  session table
Datapath Session Table Entries
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----     6    52076 3389   0/0     0 0   0   local       1    4         191        SRC    6    3389  52076  0/0     0 0   0   local       1    3         151        N

We could see that the traffic is Natted and redirected to the server. Without ESI the traffic would be bridged to uplink switch or the client's gateway.


Version history
Revision #:
1 of 1
Last update:
‎07-10-2014 03:43 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: