Wireless Access

Hello,

My issue is that I am unable to ping from one vlan to another on the 7005 controller. 

Its been many years since i've configured an Aruba controller so I'm sure my issue is due to me overlooking something.  We recieved this small controller for testing in the lab with the ultimate goal of testing the IPSec tunnel functionality. 

Aruba Controller 7005-US JW634A
ArubaOS 6.5.1.4 build 58698

I have set up the following:

LAN: Vlan 1 - 10.57.30.32/29 - 10.57.30.33 - Ports 0 - 2

WAN: Vlan 10 - 192.168.0.0/24 - 192.168.0.117 - Port 3

Inter-vlan routing has been configured for both vlans.

DHCP is configured for the LAN and does work.

My laptop pulls 10.57.30.35 on Port 1 and I can ping 10.57.30.33.  However, I cannot ping 192.168.0.117.

The controller is plugged into another device and I can ping from vlan 10 to 192.168.0.1.  I cannot ping from 10.57.30.33 to 192.168.0.1.

Thanks in advance for suggestions.

Here is the config.  Sorry for posting the whole thing but I'm not sure where the issue is:

(Aruba7005) (config) #show run
Building Configuration...
 
version 6.5
enable secret "******"
enable bypass
loginsession timeout 0 
hostname "Aruba7005"
clock timezone PST -8
location "Building1.floor1" 
controller config 3
ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0
ip access-list geolocation global-geolocation-acl
!
ip access-list eth validuserethacl
  permit any 
!
netservice svc-ipp-tcp tcp 631
netservice svc-dhcp udp 67 68 alg dhcp
netservice svc-citrix tcp 2598
netservice svc-pcoip-udp udp 50002
netservice svc-netbios-ssn tcp 139
netservice svc-tftp udp 69 alg tftp
netservice svc-papi udp 8211
netservice svc-ica tcp 1494
netservice svc-natt udp 4500
netservice svc-lpd tcp 515
netservice svc-microsoft-ds tcp 445
netservice svc-syslog udp 514
netservice svc-msrpc-tcp tcp 135 139
netservice svc-msrpc-udp udp 135 139
netservice svc-smtp tcp 25
netservice svc-http-proxy2 tcp 8080
netservice svc-cfgm-tcp tcp 8211
netservice vnc tcp 5900 5905
netservice svc-web tcp list "80 443"
netservice svc-h323-udp udp 1718 1719
netservice svc-sccp tcp 2000 alg sccp
netservice svc-bootp udp 67 69
netservice svc-telnet tcp 23
netservice svc-http tcp 80
netservice svc-vmware-rdp tcp 3389
netservice svc-ipp-udp udp 631
netservice svc-noe-oxo udp 5000 alg noe
netservice svc-vocera udp 5002 alg vocera
netservice svc-esp 50
netservice svc-http-proxy1 tcp 3128
netservice svc-sec-papi udp 8209
netservice svc-l2tp udp 1701
netservice svc-rtsp tcp 554 alg rtsp
netservice svc-gre 47
netservice svc-sip-tcp tcp 5060
netservice svc-pptp tcp 1723
netservice svc-snmp udp 161
netservice svc-svp 119 alg svp
netservice svc-icmp 1
netservice svc-smb-tcp tcp 445
netservice svc-pcoip2-tcp tcp 4172
netservice svc-v6-icmp 58
netservice svc-ssh tcp 22
netservice svc-h323-tcp tcp 1720
netservice svc-ntp udp 123
netservice svc-pop3 tcp 110
netservice svc-netbios-ns udp 137
netservice svc-adp udp 8200
netservice svc-v6-dhcp udp 546 547
netservice svc-dns udp 53 alg dns
netservice svc-netbios-dgm udp 138
netservice svc-http-proxy3 tcp 8888
netservice svc-sip-udp udp 5060
netservice svc-kerberos udp 88
netservice svc-sips tcp 5061 alg sips
netservice svc-pcoip2-udp udp 4172
netservice svc-pcoip-tcp tcp 50002
netservice svc-noe udp 32512 alg noe
netservice svc-nterm tcp 1026 1028
netservice svc-ike udp 500
netservice svc-snmp-trap udp 162
netservice svc-smb-udp udp 445
netservice svc-ftp tcp 21 alg ftp
netservice svc-https tcp 443
netexthdr default
!
time-range working-hours periodic
 weekday 08:00 to  18:00
!
time-range night-hours periodic
 weekday 18:01 to  23:59
 weekday 00:00 to  07:59
!
time-range weekend periodic
 weekend 00:00 to  23:59
!
ip access-list session svp-acl
!
ip access-list session apprf-stateful-dot1x-sacl
!
ip access-list session logon-control
!
ip access-list session ap-uplink-acl
!
ip access-list session v6-http-acl
!
ip access-list session v6-logon-control
!
ip access-list session http-acl
!
ip access-list session icmp-acl
!
ip access-list session vocera-acl
!
ip access-list session vmware-acl
!
ip access-list session citrix-acl
!
ip access-list session tftp-acl
!
ip access-list session sip-acl
!
ip access-list session ra-guard
!
ip access-list session srcnat
!
ip access-list session global-sacl
!
ip access-list session v6-dhcp-acl
!
ip access-list session cplogout
!
ip access-list session wificalling-acl
!
ip access-list session vpnlogon
!
ip access-list session v6-control
!
ip access-list session allow-diskservices
!
ip access-list session apprf-guest-sacl
!
ip access-list session wificalling-block
!
ip access-list session v6-ap-acl
!
ip access-list session v6-allowall
!
ip access-list session v6-icmp-acl
!
ip access-list session validuser
  network 127.0.0.0 255.0.0.0 any any  deny 
  network 169.254.0.0 255.255.0.0 any any  deny 
  network 224.0.0.0 240.0.0.0 any any  deny 
  host 255.255.255.255 any any  deny 
  network 240.0.0.0 240.0.0.0 any any  deny 
  any any any  permit 
  ipv6 host fe80:: any any  deny 
  ipv6 network fc00::/7 any any  permit 
  ipv6 network fe80::/64 any any  permit 
  ipv6  alias ipv6-reserved-range any any  deny 
  ipv6  any any any  permit 
!
ip access-list session v6-dns-acl
!
ip access-list session captiveportal
!
ip access-list session v6-https-acl
!
ip access-list session dhcp-acl
!
ip access-list session h323-acl
!
ip access-list session allowall
!
ip access-list session allow-printservices
!
ip access-list session https-acl
!
ip access-list session skinny-acl
!
ip access-list session ap-acl
!
ip access-list session captiveportal6
!
ip access-list session control
!
ip access-list session dns-acl
!
ip access-list session noe-acl
!
vpn-dialer default-dialer
  ike authentication PRE-SHARE ******
!
user-role ap-role
!
user-role sys-ap-role
!
user-role stateful-dot1x
 access-list session global-sacl
 access-list session apprf-stateful-dot1x-sacl
!
user-role guest-logon
!
user-role logon
!
user-role cpbase
!
user-role denyall
!
user-role guest
 access-list session global-sacl
 access-list session apprf-guest-sacl
!
user-role default-iap-user-role
 access-list session allowall
!
!

kernel coredump
interface mgmt
        shutdown
!

dialer group evdo_us
  init-string ATQ0V1E0
  dial-string ATDT#777
!

dialer group gsm_us
  init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
  dial-string ATD*99#
!

dialer group gsm_asia
  init-string AT+CGDCONT=1,"IP","internet"
  dial-string ATD*99***1#
!

dialer group vivo_br
  init-string AT+CGDCONT=1,"IP","zap.vivo.com.br"
  dial-string ATD*99#
!



vlan 10 "WAN" 


interface gigabitethernet 0/0/0
        description "GE0/0/0"
        trusted
        trusted vlan 1-4094
!

interface gigabitethernet 0/0/1
        description "GE0/0/1"
        trusted
        trusted vlan 1-4094
!

interface gigabitethernet 0/0/2
        description "GE0/0/2"
        trusted
        trusted vlan 1-4094
!

interface gigabitethernet 0/0/3
        description "GE0/0/3"
        trusted
        trusted vlan 1-4094
        switchport access vlan 10
!

interface vlan 1
        ip address 10.57.30.33 255.255.255.248
!

interface vlan 10
        ip address 192.168.0.117 255.255.255.0
        description "WAN to CRADLEPOINT"
!

!
!
ip default-gateway 192.168.0.1
no uplink wired vlan 1
uplink disable
ip nexthop-list pan-gp-ipsec-map-list
!

crypto isakmp policy 20
  encryption aes256
!

crypto isakmp policy 10001
!

crypto isakmp policy 10002
  encryption aes256
  authentication rsa-sig
!

crypto isakmp policy 10003
  encryption aes256
!

crypto isakmp policy 10004
  version v2
  encryption aes256
  authentication rsa-sig
!

crypto isakmp policy 10005
  encryption aes256
!

crypto isakmp policy 10006
  version v2
  encryption aes128
  authentication rsa-sig
!

crypto isakmp policy 10007
  version v2
  encryption aes128
!

crypto isakmp policy 10008
  version v2
  encryption aes128
  hash sha2-256-128
  group 19
  authentication ecdsa-256
  prf prf-hmac-sha256
!

crypto isakmp policy 10009
  version v2
  encryption aes256
  hash sha2-384-192
  group 20
  authentication ecdsa-384
  prf prf-hmac-sha384
!

crypto isakmp policy 10012
  version v2
  encryption aes256
  authentication rsa-sig
!

crypto isakmp policy 10013
  encryption aes256
!

crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-boc-bm-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-1st-ikev2-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-3rd-ikev2-transform esp-aes128 esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-rap-ipsecmap 10001
  version v2
  set transform-set "default-gcm256" "default-gcm128" "default-rap-transform" 
!

crypto dynamic-map default-dynamicmap 10000
  set transform-set "default-transform" "default-aes" 
!

crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmap
crypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmap
crypto isakmp eap-passthrough eap-tls
crypto isakmp eap-passthrough eap-peap
crypto isakmp eap-passthrough eap-mschapv2

vpdn group l2tp
!

ip dhcp excluded-address 10.57.30.32 10.57.30.34
ip dhcp pool local_pool
 default-router 10.57.30.33
 dns-server 8.8.8.8
 lease 0 0 10 0
 network 10.57.30.32 255.255.255.248
 authoritative
!
service dhcp
  
  

!

vpdn group pptp
!

tunneled-node-address 0.0.0.0
ap-crash-transfer

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0

ap ap-blacklist-time 3600
ap flush-r1-on-new-r0 disable
amon msg-buffer-size 32768


stm mon-update-queue 7248

no ssh mgmt-auth public-key
ssh mgmt-auth username/password
mgmt-user admin root 1e4db828018c2dcdfb6f87cbb471002ede6813243d35060cc9




no database synchronize
ip mobile domain default
!
!
!
airgroup mdns "disable"
!
airgroup dlna "disable"
!
airgroup location-discovery "enable"
!
!
airgroup active-wireless-discovery "disable"
!
airgroupservice "airplay"
  id "_airplay._tcp"
  id "_raop._tcp"
  id "_appletv-v2._tcp"
  description "AirPlay"
!
airgroupservice "airprint"
  id "_ipp._tcp"
  id "_pdl-datastream._tcp"
  id "_printer._tcp"
  id "_scanner._tcp"
  id "_http._tcp"
  id "_http-alt._tcp"
  id "_ipp-tls._tcp"
  id "_fax-ipp._tcp"
  id "_riousbprint._tcp"
  id "_ica-networking._tcp"
  id "_ptp._tcp"
  id "_canon-bjnp1._tcp"
  id "_ipps._tcp"
  id "_ica-networking2._tcp"
  description "AirPrint"
!
airgroupservice "itunes"
  id "_home-sharing._tcp"
  id "_apple-mobdev._tcp"
  id "_daap._tcp"
  id "_dacp._tcp"
  description "iTunes"
!
airgroupservice "remotemgmt"
  id "_ssh._tcp"
  id "_sftp-ssh._tcp"
  id "_ftp._tcp"
  id "_telnet._tcp"
  id "_rfb._tcp"
  id "_net-assistant._tcp"
  description "Remote management"
!
airgroupservice "sharing"
  id "_odisk._tcp"
  id "_afpovertcp._tcp"
  id "_xgrid._tcp"
  description "Sharing"
!
airgroupservice "chat"
  id "_presence._tcp"
  description "Chat"
!
airgroupservice "googlecast"
  id "_googlecast._tcp"
  description "GoogleCast supported by Chromecast etc"
!
airgroupservice "AmazonTV"
  id "_amzn-wplay._tcp"
  description "Amazon fire tv"
!
airgroupservice "DIAL"
  id "urn:dial-multiscreen-org:service:dial:1"
  id "urn:dial-multiscreen-org:device:dial:1"
  description "DIAL supported by Chromecast, FireTV, Roku etc"
!
airgroupservice "DLNA Media"
  id "urn:schemas-upnp-org:device:MediaServer:1"
  id "urn:schemas-upnp-org:device:MediaServer:2"
  id "urn:schemas-upnp-org:device:MediaServer:3"
  id "urn:schemas-upnp-org:device:MediaServer:4"
  id "urn:schemas-upnp-org:device:MediaRenderer:1"
  id "urn:schemas-upnp-org:device:MediaRenderer:2"
  id "urn:schemas-upnp-org:device:MediaRenderer:3"
  id "urn:schemas-upnp-org:device:MediaPlayer:1"
  description "Media"
!
airgroupservice "DLNA Print"
  id "urn:schemas-upnp-org:device:Printer:1"
  id "urn:schemas-upnp-org:service:PrintBasic:1"
  id "urn:schemas-upnp-org:service:PrintEnhanced:1"
  description "Print"
!
airgroupservice "allowall"
  description "Remaining-Services"
!
airgroup service "airplay" enable
!
airgroup service "airprint" enable
!
airgroup service "itunes" disable
!
airgroup service "remotemgmt" disable
!
airgroup service "sharing" disable
!
airgroup service "chat" disable
!
airgroup service "googlecast" disable
!
airgroup service "AmazonTV" disable
!
airgroup service "DIAL" enable
!
airgroup service "DLNA Media" disable
!
airgroup service "DLNA Print" disable
!
airgroup service "allowall" disable
!

ip igmp
!

ipv6 mld
!

firewall attack-rate grat-arp 50 drop
ipv6 firewall ext-hdr-parse-len  100

!

!
firewall cp
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
!
aaa server-group "default"
 auth-server Internal
 set role condition role value-of
!
aaa profile "default"
!
aaa authentication captive-portal "default"
!
aaa authentication wispr "default"
!
aaa authentication vpn "default"
!
aaa authentication vpn "default-rap"
!
aaa authentication mgmt
!
aaa authentication stateful-ntlm "default"
!
aaa authentication stateful-kerberos "default"
!
aaa authentication stateful-dot1x
!
aaa authentication wired
!
web-server profile
   session-timeout 3600
!
guest-access-email
!
aaa password-policy mgmt
!
control-plane-security
!
ids wms-general-profile
!
ids wms-local-system-profile
!
valid-network-oui-profile
!
upgrade-profile
!
license profile
!
activate-service-whitelist
!
file syncing profile
!
papi-security
!
ifmap cppm
!
pan profile "default"
!
pan-options
!
pan active-profile
!
openflow-profile
!
aruba-central
!
ap system-profile "default"
   ap-console-password c573264493818910e1b42fbdc9940b0f9629e808d804de19
!
ap regulatory-domain-profile "default"
   country-code US
   valid-11g-channel 1
   valid-11g-channel 6
   valid-11g-channel 11
   valid-11a-channel 36
   valid-11a-channel 40
   valid-11a-channel 44
   valid-11a-channel 48
   valid-11a-channel 149
   valid-11a-channel 153
   valid-11a-channel 157
   valid-11a-channel 161
   valid-11a-channel 165
   valid-11g-40mhz-channel-pair 1-5
   valid-11g-40mhz-channel-pair 7-11
   valid-11a-40mhz-channel-pair 36-40
   valid-11a-40mhz-channel-pair 44-48
   valid-11a-40mhz-channel-pair 149-153
   valid-11a-40mhz-channel-pair 157-161
   valid-11a-80mhz-channel-group 36-48
   valid-11a-80mhz-channel-group 149-161
   valid-11a-160mhz-channel-group 36-64
!
ap wired-ap-profile "default"
!
ap enet-link-profile "default"
!
ap mesh-ht-ssid-profile "default"
!
ap lldp med-network-policy-profile "default"
!
ap mesh-cluster-profile "default"
!
ap lldp profile "default"
!
ap mesh-radio-profile "default"
!
ap wired-port-profile "default"
!
ids general-profile "default"
!
ids unauthorized-device-profile "default"
!
ids profile "default"
!
rf arm-profile "arm-maintain"
   assignment maintain
   no scanning
!
rf arm-profile "arm-scan"
!
rf optimization-profile "default"
!
rf event-thresholds-profile "default"
!
rf am-scan-profile "default"
!
rf dot11a-radio-profile "default"
!
rf dot11a-radio-profile "rp-maintain-a"
   arm-profile "arm-maintain"
!
rf dot11a-radio-profile "rp-monitor-a"
   mode am-mode
!
rf dot11a-radio-profile "rp-scan-a"
   arm-profile "arm-scan"
!
rf dot11g-radio-profile "default"
!
rf dot11g-radio-profile "rp-maintain-g"
   arm-profile "arm-maintain"
!
rf dot11g-radio-profile "rp-monitor-g"
   mode am-mode
!
rf dot11g-radio-profile "rp-scan-g"
   arm-profile "arm-scan"
!
wlan handover-trigger-profile "default"
!
wlan rrm-ie-profile "default"
!
wlan bcn-rpt-req-profile "default"
!
wlan dot11r-profile "default"
!
wlan tsm-req-profile "default"
!
wlan ht-ssid-profile "default"
!
wlan hotspot anqp-venue-name-profile "default"
!
wlan hotspot anqp-nwk-auth-profile "default"
!
wlan hotspot anqp-roam-cons-profile "default"
!
wlan hotspot anqp-nai-realm-profile "default"
!
wlan hotspot anqp-3gpp-nwk-profile "default"
!
wlan hotspot h2qp-operator-friendly-name-profile "default"
!
wlan hotspot h2qp-wan-metrics-profile "default"
!
wlan hotspot h2qp-conn-capability-profile "default"
!
wlan hotspot h2qp-op-cl-profile "default"
!
wlan hotspot h2qp-osu-prov-list-profile "default"
!
wlan hotspot anqp-ip-addr-avail-profile "default"
!
wlan hotspot anqp-domain-name-profile "default"
!
wlan dot11k-profile "default"
!
wlan ssid-profile "default"
!
wlan hotspot advertisement-profile "default"
!
wlan hotspot hs2-profile "default"
!
wlan virtual-ap "default"
!
ap provisioning-profile "default"
!
rf arm-rf-domain-profile
   arm-rf-domain-key "0c318048f08f3e0cc5d054c161836ddb"
!
ap-lacp-striping-ip
!
ap general-profile
!
ap-group "default"
!
airgroup cppm-server aaa
!
logging level warnings security subcat ids
logging level warnings security subcat ids-ap

snmp-server enable trap
snmp-server trap source 0.0.0.0
snmp-server trap disable  wlsxAdhocNetwork
snmp-server trap disable  wlsxAdhocNetworkBridgeDetectedAP
snmp-server trap disable  wlsxAdhocNetworkBridgeDetectedSta
snmp-server trap disable  wlsxAdhocUsingValidSSID
snmp-server trap disable  wlsxAuthMaxAclEntries
snmp-server trap disable  wlsxAuthMaxBWContracts
snmp-server trap disable  wlsxAuthMaxUserEntries
snmp-server trap disable  wlsxAuthServerIsUp
snmp-server trap disable  wlsxAuthServerReqTimedOut
snmp-server trap disable  wlsxAuthServerTimedOut
snmp-server trap disable  wlsxChannelChanged
snmp-server trap disable  wlsxCoverageHoleDetected
snmp-server trap disable  wlsxDBCommunicationFailure
snmp-server trap disable  wlsxDisconnectStationAttack
snmp-server trap disable  wlsxESIServerDown
snmp-server trap disable  wlsxESIServerUp
snmp-server trap disable  wlsxFanFailure
snmp-server trap disable  wlsxFanTrayInserted
snmp-server trap disable  wlsxFanTrayRemoved
snmp-server trap disable  wlsxGBICInserted
snmp-server trap disable  wlsxIpSpoofingDetected
snmp-server trap disable  wlsxLCInserted
snmp-server trap disable  wlsxLCRemoved
snmp-server trap disable  wlsxLicenseExpiry
snmp-server trap disable  wlsxLowMemory
snmp-server trap disable  wlsxLowOnFlashSpace
snmp-server trap disable  wlsxOutOfRangeTemperature
snmp-server trap disable  wlsxOutOfRangeVoltage
snmp-server trap disable  wlsxPowerSupplyFailure
snmp-server trap disable  wlsxPowerSupplyMissing
snmp-server trap disable  wlsxProcessDied
snmp-server trap disable  wlsxProcessExceedsMemoryLimits
snmp-server trap disable  wlsxSCInserted
snmp-server trap disable  wlsxSignatureMatch
snmp-server trap disable  wlsxStaUnAssociatedFromUnsecureAP
snmp-server trap disable  wlsxStationAddedToBlackList
snmp-server trap disable  wlsxStationRemovedFromBlackList
snmp-server trap disable  wlsxSwitchIPChanged
snmp-server trap disable  wlsxSwitchRoleChange
snmp-server trap disable  wlsxUserAuthenticationFailed
snmp-server trap disable  wlsxUserEntryAuthenticated
snmp-server trap disable  wlsxUserEntryChanged
snmp-server trap disable  wlsxUserEntryCreated
snmp-server trap disable  wlsxUserEntryDeAuthenticated
snmp-server trap disable  wlsxUserEntryDeleted
snmp-server trap disable  wlsxVrrpStateChange

process monitor log
ip probe default
  mode Ping
  frequency 10
  retries 3
  burst-size 5
!
ip probe health-check
  mode Ping
  frequency 10
  retries 3
  burst-size 5
!

activate periodic-sync enable
end

(Aruba7005) (config) #

What does the routing table look like on the CradlePoint device at 192.168.0.1? It should have a static route for your 10.57.30.32/29 subnet pointing to 192.168.0.117.

Likewise, verify the laptop configuration is pointing to 10.57.30.33 as it's default gateway, and that no VPN clients are connected or otherwise modifying the routing table.

Unfortunately, the cradlepoint is our customers device and we dont have access into it.  Its one of the reasons this has been such a hassle to troubleshoot.  The 10.57.30.32/29 block, ultimately, wont be routed through the cradlepoint as it will be behind an IPSec tunnel.  If the 7005 config looks ok, then I'll inform the customer we cannot move forward.  

I did do the following:

(Aruba7005) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.0.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 192.168.0.1*
C    10.57.30.32/29 is directly connected, VLAN1
C    192.168.0.0/24 is directly connected, VLAN10

(Aruba7005) #ping 8.8.8.8 source 10
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 8.8.8.8 from 192.168.0.117, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

(Aruba7005) #

To simplify this, i've removed the cradlepiont and plugged the internet circuit directly into the 7005.

(Aruba7005) (config) #show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol   VRRP-IP         (VRRP-Id)
vlan 1                     10.57.30.33 / 255.255.255.248   up      up         none            (none)
vlan 10                  72.173.194.58 / 255.255.254.0     up      up         none            (none)
loopback                    unassigned / unassigned        up      up  

DHCP is enabled on VLAN(s) 10

(Aruba7005) #ping 4.2.2.2
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 43.158/340.302/639.063 ms


(Aruba7005) #ping 4.2.2.2 source 1
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 4.2.2.2 from 10.57.30.33, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

(Aruba7005) #ping 4.2.2.2         
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 26.27/334.347/638.342 ms

(Aruba7005) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
S*    0.0.0.0/0  [10/0] via 72.173.194.1*
C    10.57.30.32/29 is directly connected, VLAN1
C    72.173.194.0/23 is directly connected, VLAN10

---

@chauc3r wrote:

To simplify this, i've removed the cradlepiont and plugged the internet circuit directly into the 7005.

(Aruba7005) (config) #show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol   VRRP-IP         (VRRP-Id)
vlan 1                     10.57.30.33 / 255.255.255.248   up      up         none            (none)
vlan 10                  72.173.194.58 / 255.255.254.0     up      up         none            (none)
loopback                    unassigned / unassigned        up      up  

DHCP is enabled on VLAN(s) 10

(Aruba7005) #ping 4.2.2.2
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 43.158/340.302/639.063 ms


(Aruba7005) #ping 4.2.2.2 source 1
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 4.2.2.2 from 10.57.30.33, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

(Aruba7005) #ping 4.2.2.2         
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 26.27/334.347/638.342 ms

(Aruba7005) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
S*    0.0.0.0/0  [10/0] via 72.173.194.1*
C    10.57.30.32/29 is directly connected, VLAN1
C    72.173.194.0/23 is directly connected, VLAN10

 

 

---

You will not be able to ping Internet resources from your 10.0.0.0/8 IP address space, because that space is not routable over the Internet. 4.2.2.2 has no way to reply to 10/8, and traffic from that address space is most likely blocked at ingress into your ISP.

Similarly, without looking at the CradlePoint's configuration, it most likely does not know to send traffic to 10.57.30.32/29 to the controller at 192.168.0.117. Routing information would need to be learned, either through static configuration or via a dynamic routing protocol.

If connecting the 7005 directly to the ISP is supposed to work, then there needs to be a device in the network that performs NAT for the 10/8 network. Since the CradlePoint is connected to the ISP, it typically would handle that, but the 7005 can perform that function as well.

Probably should have mentioned this but I put a nat on the vlans so that I could get out to the internet.  Sorry, I thought that would be implied.

---

@chauc3r wrote:

Probably should have mentioned this but I put a nat on the vlans so that I could get out to the internet.  Sorry, I thought that would be implied.

---

What is your nat configuration?

interface vlan 1
        ip address 10.57.30.33 255.255.255.248
        ip nat inside
!

interface vlan 10
        ip address dhcp-client
        ip nat outside
        description "WAN to CRADLEPOINT"
!