Wireless Access

I have a scenario where there are two vlans, for corp and guest, with both 'ip nat inside'.

The internet route is via a firewall and currently the corp traffic is NAT'd behind a different ip address, due to the traffic being sent to an internet proxy.  I was able to achieve this with a rule of 'any any any src-nat pool corp-inet'.

For a new site, the customer wanted to setup a split-tunnel ssid to drop out local subnets from the APs and tunnel everything else.  Unfortunately, the src-nat rule does not work for split-tunnel mode, and the corp traffic is now NAT'd behind the guest NAT address.

I am thinking the only thing to try now is to apply a session-acl to the interface as the traffic egresses from the port?  Something like this....

ip access-list session DMZ-Internet-port
  network 10.0.0.0 255.0.0.0 any any src-nat pool corp-inet-DMZ
  any any any permit

I hope I've made that clear, but would the above work with a split-tunnel traffic to be NAT'd behind a different address?  I guest I am wondering what the internal order of processing is on the controller.  Is the ip-nat-inside rule applied before it hits the interface.

Thanks

How many access points are at that site?

8 or 9.

Could you use "Bridge" instead of split-tunnel for corporate traffic?  Split-Tunnel is normally only good for smaller sites with a few access points...

That's an option, but I'd prefer not to cause we loose the lync optimisations and benefits.

Then again, could just "route src-nat" the internet traffic out the ap and let it flow out like wired traffic to the internet, which I assume would have the correct NAT address.

So taking a step back:

- you have 9 access points at that site

- They are all configured as remots APs

- You have a controller at the headend

- What is transmitting the WAN traffic back to the controller?  Is there a site to site VPN or only an internet connection? 

---

@cjoseph wrote:

So taking a step back:

 

- you have 9 access points at that site.  Yes

- They are all configured as remots APs.  One at the moment for testing this.

- You have a controller at the headend.  Yes

- What is transmitting the WAN traffic back to the controller?  Is there a site to site VPN or only an internet connection? It is an MPLS network.

---

Unfortunately, the setup is complicated by the fact that they did not want to ask their provider to configure additional ports, vlans etc because it would cost them money.  Despite my warnings and reluctance, they insisted it all be nat'd.

So in the end I have a slightly complicated setup with different NAT addresses and esi-redirects.  That all works fine for tunnelled corp ssids.

They just want to know the possibility to break out those local site subnets from the AP, which is fine, but it now means their corp internet traffic is being NAT'd behind the wrong address at the controller.

I gave them the options to move forward and it has been decided that it is too difficult to reconfigure ports, switches and add a dhcp scope for the site.  So back to just tunnel mode ssid.