Wireless Access

Reply
Contributor II

NAT setup to not use controller IP

Hello,

We have two VLANS trunked to our 6000 / M3 controllers ( Guest and ADMIN ).  The clients are not configured to use the controller as a gateway, they pass through.  The Guest VLAN has a Public IP assigned to the interface, and the Admin VLAN has a private IP address.  All Virtual APs are dropping broadcast and multicast.  The Controller IP is on the Private Admin network.

I would like to setup a new Guest Internet SSID using NAT which will allow Apple services such as Bonjour.  From what I understand when using NAT, the outside IP will be the controller IP.  In this case, I want to use the Public IP address of the Guest interface for the NAT outside IP.  How can I do this?



Thanks,
Bryan

Guru Elite

Re: NAT setup to not use controller IP

Bryanc,

 

Bonjour cannot cross a NAT boundary.  Please describe the application in this deployment.

 

To make a controller NAT out of the ip address that is not the controller address you can use the article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-NAT-and-redirect-of-specific-traffic-using-ACL-on-Aruba/ta-p/184528


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: NAT setup to not use controller IP

Thanks for the information.  Clients on the new NAT-ed SSID/VLAN wiIl have private IPs and the controller will be their default gateway in this case.  So my main goal is to get the traffic NAT-ed out the Guest Internet interface instead of (by default) the internal controller IP interface.  I am not 100% sure the article addresses this?

 

I know about the Bonjour limitations, all usage will be containted on the new SSID/VLAN, so for this it won't be an issue.  That is one of the reasons for setting up this new SSID so we can have easy Bonjour usage in a certain area for limited users, without affecting the rest of our production WiFi.  The reason for the NAT is so a number of OSX servers can run with app download caching enabled.

 

 

Thanks,

Bryan

 

Guru Elite

Re: NAT setup to not use controller IP

Bryanc,

 

If you want clients to nat out of the public ip address on the controller you can:

 

- Create a NAT pool that only has the controller's public ip address

- On the last line of the guest user's post authentication role, write a rule that has

any any any src-nat pool thatpoolname

That will nat all traffic out of the controller's pool ip address.  Please see details in the src-nat description of the command here:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/ip_access_list_session.htm

 

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: