Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

This thread has been viewed 2 times

  • 1.  Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

    EMPLOYEE
    Posted May 07, 2014 08:05 AM

    Hi,

    I have a requirement to have the corp and guest traffic egress out different interfaces. I am using the esi-server feature, and followed the following post, https://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Need-help-routing-internet-traffic-from-our-guest-and-corporate/m-p/22348/highlight/true#M6505

     

    Basically, the guest vlan is 'ip nat inside' and all traffic (apart from dhcp) is redirected into the tunnel.  The controller-ip is set to the controller DMZ ip, being 10.237.8.42.

    What I was expecting is that the guest user traffic would egress out that interface and be NAT'd behind 10.237.8.42, being the controller-ip.

    What I see with a capture on the controller, is that the guest traffic is egressing out that interface but is NAT'd behind the corp ip address, and hence being dropped on the firewall.

     

    The rules are as follows,

     

    guest-logon-control
    -------------------
    Priority  Source  Destination  Service   Action                                          TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
    --------  ------  -----------  -------   ------                                          ---------  ---  -------  -----  ---  -----  ---------  ------  -------
    1         user    any          udp 68    deny                                                                     Low
    2         any     any          svc-dhcp  permit                                                                   Low
    3         any     any          svc-icmp  redirect esi-group DMZ-Group direction forward                           Low
    4         any     any          svc-dns   redirect esi-group DMZ-Group direction forward                           Low
    5         any     any          svc-natt  redirect esi-group DMZ-Group direction forward                           Low

    And I see the hits in the firewall

     

    (controller) # show acl hits

    User Role ACL Hits
    ------------------
    Role         Policy               Src   Dst               Service    Action    Dest/Opcode  New Hits  Total Hits  Index
    ----         ------               ---   ---               -------    ------    -----------  --------  ----------  -----
    guest-logon  guest-logon-control  any   any               svc-dhcp   permit                 0         37          8602
    guest-logon  guest-logon-control  any   any               svc-icmp   redirect  4233         0         12          8603
    guest-logon  guest-logon-control  any   any               svc-dns    redirect  4233         202       5366        8604

    obviously I'm doing something wrong here, but can anyone advise?

     

    Thanks

     

     

     



  • 2.  RE: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

    EMPLOYEE
    Posted May 07, 2014 03:56 PM

    Can you post your entire controller config (or at least the relevant bits)?

     

    Also, a network diagram would be useful. 



  • 3.  RE: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

    EMPLOYEE
    Posted May 08, 2014 04:12 AM

    What I am try to achieve is in the diagram below.

     

    redirect esi.jpg

     

    The relevant config is as such.

     

    esi ping health-30sec
  frequency 30
  timeout 2
  retry-count 2
!
esi server DMZ-Gateway
  trusted-ip-addr 10.237.8.250
  untrusted-ip-addr 10.237.8.250
  mode route
!
esi group DMZ-Group
  ping health-30sec
  server DMZ-Gateway
!
interface vlan 8
	ip address 10.237.8.42 255.255.255.0
!
interface vlan 2
	ip address 10.237.2.244 255.255.255.0
	operstate up
!
interface vlan 192
	ip address 192.168.110.1 255.255.254.0
	ip nat inside
	operstate up
!
interface vlan 202
	ip address 10.242.202.1 255.255.254.0
	ip helper-address 10.237.2.2
	ip nat inside
	operstate up
!
ip access-list session guest-logon-control
  user any udp 68 deny 
  any any svc-dhcp permit 
  any any svc-icmp redirect esi-group DMZ-Group direction  forward 
  any any svc-dns redirect esi-group DMZ-Group direction  forward 
  any any svc-natt redirect esi-group DMZ-Group direction  forward 
!

     According to the UG, it says that, "If the controller is forwarding the packets at Layer-3, packets that exit the VLAN are given the IP address of the next-hop VLAN for their source IP address.".  Given that the esi rule is redirecting the traffic and hence routing out the DMZ interface, I would have expected the traffic to have a source address of that DMZ interface (and also since the controller-ip is the DMZ ip), but instead it has the corp address.

     

    Now if I change the default route to point to the DMZ, it is then NAT'd with the correct source address, but that just gives me another headache with how to handle corp internet traffic.

     

    :smileyfrustrated:



  • 4.  RE: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

    EMPLOYEE
    Posted May 08, 2014 08:03 AM
    Would you be able to remove IP NAT inside from the interface on the controller?


  • 5.  RE: Redirect guest traffic to DMZ via esi-server and nat behind controller DMZ ip

    EMPLOYEE
    Posted May 08, 2014 08:06 AM

    it then comes out with a sources address of it's own ip, 192.168.111.x