Wireless Access

last person joined: 11 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

NAT setup to not use controller IP

This thread has been viewed 3 times

  • 1.  NAT setup to not use controller IP

    Posted Mar 19, 2015 08:50 AM

    Hello,

    We have two VLANS trunked to our 6000 / M3 controllers ( Guest and ADMIN ).  The clients are not configured to use the controller as a gateway, they pass through.  The Guest VLAN has a Public IP assigned to the interface, and the Admin VLAN has a private IP address.  All Virtual APs are dropping broadcast and multicast.  The Controller IP is on the Private Admin network.

    I would like to setup a new Guest Internet SSID using NAT which will allow Apple services such as Bonjour.  From what I understand when using NAT, the outside IP will be the controller IP.  In this case, I want to use the Public IP address of the Guest interface for the NAT outside IP.  How can I do this?



    Thanks,
    Bryan



  • 2.  RE: NAT setup to not use controller IP

    EMPLOYEE
    Posted Mar 19, 2015 09:02 AM

    Bryanc,

     

    Bonjour cannot cross a NAT boundary.  Please describe the application in this deployment.

     

    To make a controller NAT out of the ip address that is not the controller address you can use the article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-NAT-and-redirect-of-specific-traffic-using-ACL-on-Aruba/ta-p/184528



  • 3.  RE: NAT setup to not use controller IP

    Posted Mar 19, 2015 09:35 AM

    Thanks for the information.  Clients on the new NAT-ed SSID/VLAN wiIl have private IPs and the controller will be their default gateway in this case.  So my main goal is to get the traffic NAT-ed out the Guest Internet interface instead of (by default) the internal controller IP interface.  I am not 100% sure the article addresses this?

     

    I know about the Bonjour limitations, all usage will be containted on the new SSID/VLAN, so for this it won't be an issue.  That is one of the reasons for setting up this new SSID so we can have easy Bonjour usage in a certain area for limited users, without affecting the rest of our production WiFi.  The reason for the NAT is so a number of OSX servers can run with app download caching enabled.

     

     

    Thanks,

    Bryan

     



  • 4.  RE: NAT setup to not use controller IP

    EMPLOYEE
    Posted Mar 19, 2015 09:45 AM

    Bryanc,

     

    If you want clients to nat out of the public ip address on the controller you can:

     

    - Create a NAT pool that only has the controller's public ip address

    - On the last line of the guest user's post authentication role, write a rule that has

    any any any src-nat pool thatpoolname

    That will nat all traffic out of the controller's pool ip address.  Please see details in the src-nat description of the command here:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/ip_access_list_session.htm