Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

(route) dst-nat to proxy without changing route?

This thread has been viewed 1 times

  • 1.  (route) dst-nat to proxy without changing route?

    MVP
    Posted Sep 05, 2013 04:44 AM

    Hi,

     

    We've got a situation where we need to redirect guest traffic towards a proxy in a different subnet.

    The proxy is on an internal subnet. The default gateway for the guests is a firewall that specifically allows this traffic.

     

    We've implemented a simple dst-nat to the proxy policy in the user-role which does the trick except for 1 issue.

     

    The problem is that guest-traffic is pulled out of the guest vlan and routed (using the controllers routing table) over the internal LAN. This arrives at the firewall which sees it as guest traffic coming from an internal interface and drops it.

     

    Is there a way to achieve this without changing the routing table of the controller?

     

    I looked at the "route dst-nat" option which from the description appears to be exactly what I need but I cannot seem to enter my dst address (or the next hop) anywhere?



  • 2.  RE: (route) dst-nat to proxy without changing route?

    EMPLOYEE
    Posted Sep 05, 2013 06:48 AM

    You could use the little-known ESI redirect.

     

    Put the "redirect" session acl in your role for the redirect to work:

     

    esi ping health-30sec
  frequency 30
  timeout 1
  retry-count 2
!
esi server friendly-name-of-proxy-server
  mode route
  trusted-ip-addr 192.168.1.50 (proxy ip address)
  untrusted-ip-addr 192.168.1.50 (proxy ip address again)
!
esi group proxy-group
  ping health-30sec
  server friendly-name-of-proxy-server
!


ip access-list session "redirect"
   any any any redirect esi-group "proxy-group" direction forward 
!