Security

Hi All,

Scenario:

Customers has a 3200 controller with a number of AP105s. They have a guest SSID configured on a VLAN, we'll call guest VLAN. They have a corp VLAN which everything else sits on. The default gateway on the controller has been configure as their onsite proxy server which is configured as a transparent proxy.

Issue:

Guest clients can associate fine but are unable to browse the internet. We can see the traffic hitting the proxy server but instead of seeing HTTP GET requests for the domains we are attempting to browse to we're seeing that clients are attempting to browse to the websites IP address.

I've tried setting the role clients get to allowall and I'm seeing the same results. We're using external DNS servers.

I'm just wondering if there's anything on the controller that I've missed which could cause this?

If I configure a client on a non-SRC-NAT SSID with its default gateway as the transparent proxy and using the same DNS it works fine.

Image attached shows what we're seeing when a client attempts to connect to the bbc.co.uk website.

Cheers

James

Are you doing IP Nat Inside on the VLAN level, or are you using an ACL to do the source-nat, in this case?

Hi Colin,

We're doing it at the VLAN level.

James

I am not sure what that is.  The source ip address should be the controller's and the destination should be the website on port 80 and the proxy should be intercepting it.  We probably need a packet capture to determine exactly what is going on.

OK thanks Colin. I'll get a packet capture and log with TAC.