I have a scenario where there are two vlans, for corp and guest, with both 'ip nat inside'.
The internet route is via a firewall and currently the corp traffic is NAT'd behind a different ip address, due to the traffic being sent to an internet proxy. I was able to achieve this with a rule of 'any any any src-nat pool corp-inet'.
For a new site, the customer wanted to setup a split-tunnel ssid to drop out local subnets from the APs and tunnel everything else. Unfortunately, the src-nat rule does not work for split-tunnel mode, and the corp traffic is now NAT'd behind the guest NAT address.
I am thinking the only thing to try now is to apply a session-acl to the interface as the traffic egresses from the port? Something like this....
ip access-list session DMZ-Internet-port
network 10.0.0.0 255.0.0.0 any any src-nat pool corp-inet-DMZ
any any any permit
I hope I've made that clear, but would the above work with a split-tunnel traffic to be NAT'd behind a different address? I guest I am wondering what the internal order of processing is on the controller. Is the ip-nat-inside rule applied before it hits the interface.
Thanks