Wireless Access

I'm experiencing a problem of NATing for one of my Vlan on my controller :

I have 2 Vlans : - Vlan 10 which is my default Vlan

- Vlan 33 which is only declared on my controller (and not on the rest of the network)  

 

I'd like to NAT the IP coming from my Vlan 10 to the Vlan 33. I'have already enabled the NAT on the Vlan 33 and I have my default gateway on my Vlan 10.

When i'm am in my Vlan 33 and I want to ping an IP address of my Vlan 10 : The ping goes through the controller, reaches the IP address, goes back to the controller, and get lost. So I can communicate in only one way.

In CLI : 

 

 

Any help most welcomed.

Cheers.

Does the controller have an ip address in VLAN 33?  Is that the default gateway of your clients?  IP nat inside only works for traffic leaving the controller, not between vlans, really....unless I am wrong...

 

EDIT:  Hold on, why do you have "no ip routing" on your VLANs?  That means that the controller default gateway cannot route any traffic...

You need to allow ip routing under those layer 3 VLANS otherwise you won't be able to route

Sent from Outlook for iPhone

Does the controller have an ip address in VLAN 33? Yes, as I wrote previously, it’s 172.16.33.1

Is that the default gateway of your clients?  Yes, it’s default gateway for VLAN 33 users 

IP nat inside only works for traffic leaving the controller : So how does users get a response for dns request, ping,… ?

 Hold on, why do you have "no ip routing" on your VLANs?  Because the controller doesn’t do intervlan routing, it’s done by our network core

 

I tried to activate ip routing on both interface (VLAN 1 and 33) but no way to access to the network !

I activated the source NAT. Are there any other operations to do ? Do I have to activate the NAT pools for example ?

What are you trying to do?  It is not clear.

 

We have a Guest VLAN (VLAN 33), which is only on the Wifi controller.

We want to allow the users of this VLAN to access to the Internet. To do so, we activated source nat for VLAN 33 users. But we don't manage to make it works.

1.  The client default gateway must be the controller's ip address on VLAN 343

2.  You must remove "no ip routing"

3.  You must enable "source nat" or "ip nat inside" on VLAN 33

4.  The client traffic will be source-natted out of the controller's uplink by default.

5.  Client traffic will appear to be coming out of the management ip address of the controller.

Well, we already tried this configuration : our requests are nated but we don't get the response of it.

I agree with you that it should work but it doesn't. I made the configuration again and again, beginning from nothing, and I'm still having the same problem. I can only ping the interfaces of my controller (which is logic !)

 

Do you know some commands to see if the NAT is well working ?

 

 

You should be able to see it running: show datapath session table 

 

 

Regards

Borja

 

 

---

@nbemowski wrote:

Well, we already tried this configuration : our requests are nated but we don't get the response of it.

I agree with you that it should work but it doesn't. I made the configuration again and again, beginning from nothing, and I'm still having the same problem. I can only ping the interfaces of my controller (which is logic !)

 

Do you know some commands to see if the NAT is well working ?

 

 

---

Well you should open a case with TAC so that they can look at your toplogy and configuration.  OR you should simplify things because we all have the most basic version of this working in our labs (private subnet, ip nat inside, nat working).  You also should check to make sure that you do not have an ACL on an interface that is blocking traffic.  Like was mentioned, "show datapath session table <ip address of client>" is probably the best troubleshooting tool to understand if somethig is being blocked or not.

Hi there,

 

I have a similar case. IP routing is enabled.

 

I am trying to use NAT in order to give Internet access (directly from the vlan controller) to the users of two different SSIDs but is not working.

The configuration is as follows:

!
!
ip access-list eth validuserethacl
permit any
!
!
ip access-list session validuser
network 169.254.0.0 255.255.0.0 any any deny
network 127.0.0.0 255.0.0.0 any any deny
network 224.0.0.0 240.0.0.0 any any deny
host 255.255.255.255 any any deny
network 240.0.0.0 240.0.0.0 any any deny
any any any permit
ipv6 host fe80:: any any deny
ipv6 network fc00::/7 any any permit
ipv6 network fe80::/64 any any permit
ipv6 alias ipv6-reserved-range any any deny
ipv6 any any any permit
!
!
!
vlan 1
vlan 4
vlan 5
vlan 999
!
!
interface gigabitethernet 1/0
description "G1/0 - NAT INSIDE - LAG 1"
no trusted vlan 999
!
interface gigabitethernet 1/1
description "GE1/1 - NAT INSIDE - LAG 1"
no trusted vlan 999
!
interface gigabitethernet 1/2
description "GE1/2 - NAT INSIDE - LAG 1"
lacp group 1 mode active
no trusted vlan 999
!
interface gigabitethernet 1/3
description "GE1/3 - NAT OUTSIDE"
no trusted vlan 1-4094
no trusted
switchport mode access
switchport access vlan 999
ip access-group validuserethacl in
ip access-group validuserethacl out
ip access-group validuser session
!
!
controller-ip vlan 1
!
!
interface vlan 1
ip address 10.10.40.1 255.255.255.0
!
!
interface vlan 4
ip address 10.10.70.1 255.255.255.0
ip nat inside
ip helper-address 172.21.10.173
!
!
interface vlan 5
ip address 10.10.50.1 255.255.255.0
ip nat inside
ip helper-address 172.21.10.173
!
!
interface vlan 999
ip address w.x.y.z 255.255.255.0
ip nat outside
!
!
!
!
ip default-gateway w.x.y.a
!
!
ip route 172.21.28.0 255.255.255.0 172.21.19.1
ip route 172.21.10.0 255.255.255.0 172.21.19.1
ip route 172.21.16.0 255.255.255.0 172.21.19.1
ip route 172.21.25.0 255.255.255.0 172.21.19.1
ip route 10.120.1.0 255.255.255.0 172.21.19.1
!
!

The role used ti test thos by the WLAN users (using vlans 4 and 5) is the standard "authenticated" role with the allowall access list.

 

I am thinking that NAT is not working since some internal networks (the ones with suobnet 172.21.x.0/24) use public address space instead of the 172.16.x.o/24 private address space and interact with the WLAN networks that use 10.10.n.0/24 networks.

 

When I am saying the nat is not working I mean that a user connected to the SSIDs related to vlan 4 or vlan 5 cannot reach the internet (we are testing with WIndows 10).

 

Also I can ping the ip address w.x.y.z/24 assigned to  the interface vlan 999  but I cannot ping the default gateway declared on the controller to get acces to the internet(the w.x.y.a/24 IP address).

 

Any guidance about this is more than welcome.

Thanks in advance.

 

Jose

Jose,

 

You might be making this more complicated than it needs to be.  Is VLAN 999 a public ip address?

 

 

yes is a public IP address. 

Is the default gateway even pingable?

What is the controller connected to, a cable modem?

By the way Jose, you should open your own thread so that you do not step on what the person who originally opened this thread is trying to get answers for.

Thanks Colin,

 

The default gateway is pingable from the controller. The controller is connected to a LAN switch and this one to a router. The end customer has a range of public IP addresses  given by his ISP. 

 

Example 

 

interface vlan 999 

 ip address 189.188.104.98 255.255.0

 ip nat outside

 

ip default gateway 189.188.104.1

 

Do you want me to opena  a new thread?

 

 

Correction to the example:

 

 

interface vlan 999 

 ip address 189.188.104.98 255.255.255.0

 ip nat outside

 

ip default gateway 189.188.104.1

 

You should not have to do an ip nat outside.  As long as your controller can route/ping past the default gateway, user on a vlan that has ip nat inside should be able to do the same.

Thank you for the feedback Colin, I will test it tomorow and let you know.