Wireless Access

I'm trying to create open guest network (transformed to captive portal later) where traffic is source natted trough controllers wan vlan interface. I have enabled "ip nat source" for the guest vlan and I'm using default guest role as initial role. Traffic seems to go trough but clients gets no data back. 

From session table:

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
172.17.0.251 8.8.8.8 17 51496 53 0/0 0 96 0 tunnel 15 13 FSCI
172.17.0.251 8.8.4.4 17 29844 53 0/0 0 96 0 tunnel 15 e FSCI

Do I need something extra? Internet connection is trough static IP assigned to another vlan. I have applied firewall rule set for this vlan, restrictin incoming ports to NATT and management, does it affect? (And interface is marked as a untrusted)

Controller is A620 with 6.1.2.5 OS and AP-105 as a RAP. 

You need to make sure that the default gateway for the controller is the upstream WAN router.  And then you then need to create static routes for internal networks and point them to an internal router.  IP nat inside or source nat will follow the internal routing table of the controller;  you need to change it to make sure that external traffic routes out that WAN interface of the controller for it to work.

I got only default route which points to WAN router. I can remotely access controller, RAP can remote connect and ping tests from controller works. 

For some reason these sites I try to access appear on Clients? AP name is the port WAN is connected and the got logon role assigned?

Do you have an ACL on the WAN port, or is it untrusted?

Port is marked as a untrusted and WAN VLAN Firewall Policy is applied. No Firewall Policy for the port though. 

It should be marked as trusted, but you should apply an ACL that only allows nat-t inbounds for RAPs:

According to the Article here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/m-p/951/highlight/true#M64

The only difference, is that you want to allow NATT inbounds and DHCP (if you are gettiun

This is what you should have:

ip access-list session WAN
any any svc-natt permit
any any any deny

exit
interface gigabitethernet 1/0
ip access-group WAN session

Any traffic will be allowed outbounds, but only nat-t or udp 4500 will be allowed inbounds for your RAPS.

ip access-list session Internet
network xxx.xxx.xxx.xxx xxx.xxx.xxx.xxxany Aruba-MGMT permit
any any svc-natt permit
host xxx.xxx.xxx.xxx any svc-ssh permit
!

interface fastethernet 1/6
description "FE1/6"
trusted
trusted vlan 1-4094
ip access-group "Internet" session
switchport access vlan 1000
!

Now all bogus clients are gone but still no connectivity. From client I can ping controllers every interface but traffic is not going further. 

I enabled logging on remote firewall and ran some tests. If I ping that firewall, it sees traffic coming from Controllers WAN address, accepted and returned. So the problem is somewhere with returning traffic. 

Are you sure you have ip nat inside on the Guest Client's IP interface?

interface vlan 80
ip address 172.17.0.1 255.255.255.0
no ip routing
ip nat inside
operstate up
!

Remove no ip routing from the interface.

Allowing IP routing from guest VLAN interface didn't help, but allowing it from wan VLAN did help. Put no ip routing back to guest VLAN and it still works. 

yay! 

Obi - Do you now have this working with the Captive portal too?  I need to do a similar configuration.  Thanks.