Hi,
I have a requirement to have the corp and guest traffic egress out different interfaces. I am using the esi-server feature, and followed the following post, https://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Need-help-routing-internet-traffic-from-our-guest-and-corporate/m-p/22348/highlight/true#M6505
Basically, the guest vlan is 'ip nat inside' and all traffic (apart from dhcp) is redirected into the tunnel. The controller-ip is set to the controller DMZ ip, being 10.237.8.42.
What I was expecting is that the guest user traffic would egress out that interface and be NAT'd behind 10.237.8.42, being the controller-ip.
What I see with a capture on the controller, is that the guest traffic is egressing out that interface but is NAT'd behind the corp ip address, and hence being dropped on the firewall.
The rules are as follows,
guest-logon-control
-------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 user any udp 68 deny Low
2 any any svc-dhcp permit Low
3 any any svc-icmp redirect esi-group DMZ-Group direction forward Low
4 any any svc-dns redirect esi-group DMZ-Group direction forward Low
5 any any svc-natt redirect esi-group DMZ-Group direction forward Low
And I see the hits in the firewall
(controller) # show acl hits
User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
guest-logon guest-logon-control any any svc-dhcp permit 0 37 8602
guest-logon guest-logon-control any any svc-icmp redirect 4233 0 12 8603
guest-logon guest-logon-control any any svc-dns redirect 4233 202 5366 8604
obviously I'm doing something wrong here, but can anyone advise?
Thanks