Guest Users going out Firewall with Controller IP
10-24-2017 12:00 PM
My guests are on VLAN 115. Their devices get the correct IP address. However when they hit the firewall they have the IP address of the Aruba Controller. Need help troubleshooting. If I can find out what the issue is I can fix it. Anybody?
Re: Guest Users going out Firewall with Controller IP
11-01-2017 09:14 AM
hi MemphisBrothers, there isn't really any other easy way once the nat is in place.
Are you trying to actually see the traffic, or is it for audit purposes or just for debug purposes ?
For audit, you could maybe look at doing something like open ssid radius accounting to try and capture the framed-ip of the user.
Another option, but it's not so nice to the controller, is that you put a logging rule on the access-list and collect the syslog of the controller somewhere (not the most scalable solution though, and I wouldn't recommend it for that reason)
Finally, if you're just trying to debug, you can use "show datapath session table | include <thing>" to find the NAT flows. At the risk of showing you something you already know, here is how that would look for a natted ping from client 192.168.5.1 to 192.168.1.254 which goes through nat-inside on 192.168.1.162. The ip1,ip2 syntax is just to pick up both sides of the conversation (no space around the comma).
(zzzz) #show datapath session table | include 192.168.5.1,192.168.1.254 192.168.1.254 192.168.1.162 1 34807 0 0/0 0 0 0 tunnel 18 6 1 60 FNI 192.168.5.1 192.168.1.254 1 34807 2048 0/0 0 0 0 tunnel 18 6 1 60 FSCI
the "C" in the last row indicates the initiator, in this case I know that to be the client.