Wireless Access

I know there are a lot of posts out there on 1 to 1 NAT.  But I am looking for something a little different.  I have an ESX server with multiple NICs, one NIC is used for a DMZ.  I want to make the following configuration, and I am a little stuck

 

Internet IP:Internet Port-->Internal IP:Internal Port

50.0.10.10:443-->10.10.12.10:443

50.0.10.10:2326-->10.10.12.11:2326

50.0.10.11:50000-59999-->10.10.12.12:50000-59999

Can this been done?  If so, I need some guidance.  Preferably with the GUI...

You want to use the dst-NAT action if you have a controller facing the public internet...see this.  This is from the Access Control ---> Policies portion of the Configuration on an Aruba Controller.

 

Cool! But where do I put the public IP address. For example I have 1 physical connection with four ip addresses. I.e. Fe 1/6 is connected to a dsl modem and it has four ip address and each address may server multiple ports or a single

You can create an alias with all those addresses if you wish it just specify one IP address. To create an alias from Configuration click on stateful firewall and then click destinations across the top.

So here is what I have, but it is not working, and it may just be a configuration on the DSL modem, but does the config look right?  Then this made me realize what about making the outbound IP address the same as what it came in on.  I.E. if I use whatsmyip.com have it show the mapped IP address?  that is because I have a second cable modem hooked to it as well, that is set for the defualt gateway

 

I have configured esx for the correct vlan, I can get to port 80 and 443 internally fine to 10.10.13.10.

 

 

 

 

In order for this to work, the 50.x addresses must live on the controller. The controller is connected directly to the dsl modem

by live on the controller, you mean assign the 50.x ip address to a vlan? 

 

Here is the business case of what I am working on.  basically we have a small remote office, all wireless, but we need to put Skype for Business out there.  So I have 4 IP addresses.  3 for the edge, 1 for our SIP trunk that will also be used for the reverse proxy.  I am using this to learn more than the basic setup of a controller (WLANS, vlans, etc...).  All the services are virtualized.

Okay, making progress.  I have created a vlan, 1013, I gave the IP address 50.x to that vlan.  When I go to access that IP address from the outside world I get the management interface of the controller, which I would expect.  So at least I know I have the DSL part configured correctly.  So I just need to figure out what you mean by live on the controller.

OK...that's good...now just add that firewall policy with the dst-NAT actions from the previous post. Once you have the firewall policies configured...remember to allow everything you might need including DNS, ICMP, DHCP as well from any to any and then apply this policy to the Interface like so:

 

interface gigabitethernet 1/3

description "GE1/3"

trusted

trusted vlan 1-4094

ip access-group "public-interface" session vlan 666

switchport access vlan 666

 

So here are the commands I ran.  FE 1/6 is the port that has the the DSL modem connected

interface fastethernet 1/6

trusted

trusted vlan 1-4094

ip access-group edgeav443 session vlan 1013

switchport access vlan 1013

 

show vlan 1013

VLAN   Description  Ports   AAA Profile
----   -----------  -----   -----------
1013   VLAN1013     FE1/6   N/AVLAN

 

show ip internface brief

vlan 1013                   50.x.x.40 / 255.255.255.0     up      up

 

and here is the policies, I couldn't find the right command line to show it

But still when I go the 50.x IP address I get the controller interface, not the server on the VM.

 

 

 

 

 

 

 

In the policy, for the destination TCP port number - try using a different tcp port number and see if it works like 8080 or somthing...then in your browser do

 

https://50.x.x.x:8080/

nope.

I am so confused.  Here is what I have so far.

 

The following Policy.  Which rule should do it.  And I know I need to end with a deny all, what is the command to show rules in a policy from the command line?

here is the vlan 1013 (which has the external IP)

vlan 1013                   50.x.x.40 / 255.255.255.0     up      up

 

Port 6 is where the DSL Modem is connected

Name:  FE1/6
Trusted Vlan(s)
1-4094

Trunking Native Mode VLAN: 1013 (VLAN1013)

 

Port 5 is where the esx server is located

session access list EdgeRules is applied

Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (VLAN0001)
Trunking Vlans Enabled: 1,42,1012-1013
Trunking Vlans Active: 1,1012-1013

 

I can get to 10.10.13.10:8080 (a test VM) internall without issues.

if I try to go to http://50.x.x.40:8080/ internally it fails, which I would imagine to be true.  If I go to http://50.x.x.40 it brings me to the controller, which I would expect

 

This should be working right?

 

 

 

 

I have also confirmed that it is not an issue with the modem.  I put a laptop on the same port, same cable, same IP and was able to access it with no issues.

 

I can also see that it is indeed connected to the modem, both in the port status on the 620 and on the cable modem.

 

I'm really lost, and I really need to get this figured out.

 

Does being ex-aruba help?

Okay, my last thought, then I'm out of ideas.  Except could it be that I have to public IP addresses.  Meaning I have one IP from the local cable company for doing internet based traffic, and the secon from dsl for doing SfB.

So I learned something.  If I assign a VM one of the public IP addresses, it works just fine.  I can add a access control policy to block drop, etc.  So that confirms that things are passing through the DSL, however I still need the NAT translation.  PLEASE...