Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

NAT and VLAN question

This thread has been viewed 2 times

  • 1.  NAT and VLAN question

    Posted Sep 12, 2013 03:24 PM

    VLAN 100 - 10.100.0.0 255.255.0.0

    VLAN 200 - 72.13.164.1 255.255.255.224

    IP  NAT pool mynatpool 72.13.164.1 72.13.164.1 0.0.0.0

     

    !

    IP access-list session Nat-to-my-Nat-pool

    user any any src-Nat pool mynatpool

    !

    user-role TEST

    session-acl Nat-to-my-Nat-pool

     

     

     

    I have users pulling a private address and then I have a session rule so that they NAT to 72.13.164.1. The NAT is working, but when doing DNS search, the traffic is tagged with vlan id 100. I don't understand why traffic that is NATd wouldn't be tagged to the interface/IP Address it is being NAT'd too. 



  • 2.  RE: NAT and VLAN question

    EMPLOYEE
    Posted Sep 12, 2013 03:39 PM

    Well...isn't the client part of VLAN 100?  Is this causing an issue?



  • 3.  RE: NAT and VLAN question

    Posted Sep 12, 2013 03:56 PM

    The client is part of VLAN 100, so yes this is why it is tagged with vlan id 100. If I were to do source nat, wouldn't the vlan id be switched from vlan 100 to whatever vlan the ip address of the controller is? Say if I had vlan 1 designated with the controller IP, then if I were to capture DNS traffic, then the traffic should be tagged with vlan id 1. 



  • 4.  RE: NAT and VLAN question

    EMPLOYEE
    Posted Sep 12, 2013 03:59 PM

    It all depends on where you capture.  You are source NAT'ing the traffic so if you capture upstream of the controller, you will see a source IP of your NAT pool.  



  • 5.  RE: NAT and VLAN question

    Posted Sep 12, 2013 04:09 PM

    Correct, say if I collect traffic on a monitor port of an upstream switch. The ip is sourced of the NAT pool. The issue that I am seeing is that the vlan id however is still the original vlan id of 200 instead of the vlan id of the nat pool. 



  • 6.  RE: NAT and VLAN question

    EMPLOYEE
    Posted Sep 12, 2013 04:12 PM
    anyway you can post the packet trace excerpt? I am not getting it. If the VLAN tag was 100 in your case, things would have been broken upstream I would think


  • 7.  RE: NAT and VLAN question

    Posted Sep 12, 2013 04:33 PM

    That is the problem, the link is broken. The traffic is being NATd to the correct ip address of 72.15.164.1, but if you look closely, you can see that the vlan id is 95. In this instance, I left the role assigned vlan id to unassigned under access control, so it is using the vlan id of the controller ip address. However, 72.15.164.1 is actually assigned to vlan 100. If I change the role vlan id assignment under access control to 200, then the packet capture would show the correct natd address, but the vlan id will change to 200. This is causing issues with me trying to nat private ip addresses. 

     

    Screen Shot 2013-09-12 at 3.22.44 PM.png



  • 8.  RE: NAT and VLAN question

    EMPLOYEE
    Posted Sep 12, 2013 04:38 PM
    Can you post your config?


  • 9.  RE: NAT and VLAN question

    Posted Sep 12, 2013 04:53 PM

    I have emailed it to you.