Wireless Access


(route) dst-nat to proxy without changing route?



We've got a situation where we need to redirect guest traffic towards a proxy in a different subnet.

The proxy is on an internal subnet. The default gateway for the guests is a firewall that specifically allows this traffic.


We've implemented a simple dst-nat to the proxy policy in the user-role which does the trick except for 1 issue.


The problem is that guest-traffic is pulled out of the guest vlan and routed (using the controllers routing table) over the internal LAN. This arrives at the firewall which sees it as guest traffic coming from an internal interface and drops it.


Is there a way to achieve this without changing the routing table of the controller?


I looked at the "route dst-nat" option which from the description appears to be exactly what I need but I cannot seem to enter my dst address (or the next hop) anywhere?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: (route) dst-nat to proxy without changing route?

You could use the little-known ESI redirect.


Put the "redirect" session acl in your role for the redirect to work:


esi ping health-30sec
  frequency 30
  timeout 1
  retry-count 2
esi server friendly-name-of-proxy-server
  mode route
  trusted-ip-addr (proxy ip address)
  untrusted-ip-addr (proxy ip address again)
esi group proxy-group
  ping health-30sec
  server friendly-name-of-proxy-server

ip access-list session "redirect"
   any any any redirect esi-group "proxy-group" direction forward 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: