Wireless Access

New Contributor

Source NAT pool combined with routing


  • Client connects on wireless Guest network on remote office (local controller)
  • Client gets redirected to Clearpass (
  • Connection is routed through ipsec tunnel


  • It is not possible to create a route back to the client range (overlapping ranges)
  • it is not possible to create route back to the local controller (overlapping ranges)

To bypass the overlapping ranges-issue, a dummy ip and vlan were created on the local controller.

This is used for radius packets:


For Radius this is working fine.


We also want to use this for showing the guest portal to the client.

Tried to change the Policy

  • adding a 'route' rule:
    2017-05-24_15h55_22.pngThis results in a connection to the clearpass, but with the 'controller ip' instead of the 'dummy ip' (so the routing back doesn't work)
  • adding a 'source nat' rule:
    2017-05-24_15h57_44.pngThis even doesn't result in a connection to the clearpass, or doesn't show a connection on the controller (using show datapath session table <clientip>)

Any idea on how to combine both? (using routing with a source nat, defined by the source nat pool)


A overview drawing can be found below:2017-05-24_15h41_31.png


Re: Source NAT pool combined with routing

Can you share the following please:


show ip nat pool

show ip interface brief



Systems Engineer, Northeast USA

New Contributor

Re: Source NAT pool combined with routing

Hi Clembo,

Please find the output below.


(Local) #show ip nat pool

NAT Pools
Name Start IP End IP DNAT IP Flags
---- -------- ------ ------- -----

(Local) #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol
vlan 2 / up up
vlan 1 / up up
vlan 1000 / up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned up down

Search Airheads
Showing results for 
Search instead for 
Did you mean: