AP7522 /AP 6532 Wireless with NAT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-05-2017 05:41 PM
Hi!!!!
I need to know how to configure the AP for use NAT in one wireless lan.
Thx.
I need to know how to configure the AP for use NAT in one wireless lan.
Thx.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-05-2017 07:01 PM
No matter what, at some point you have to define an IP address inside because a) the clients need to send their traffic to that IP as their default gateway, and b) the NAT mechanism needs this to operate.
You could do that on the controller, for example tunnel the wireless client vlan back to the controller and only assign an IP on the controller.
Or if using a controller-less environment, you need to select one or two APs to be master and backup virtual controllers. These 2 APs need fixed IPs, and their DHCP server needs to be controlled to only run if it is the current active domain manger (dhcp-server activation-criteria rf-domain-manager). There were some bugs around this in earlier wing versions, so make sure you use the latest.
You could do that on the controller, for example tunnel the wireless client vlan back to the controller and only assign an IP on the controller.
Or if using a controller-less environment, you need to select one or two APs to be master and backup virtual controllers. These 2 APs need fixed IPs, and their DHCP server needs to be controlled to only run if it is the current active domain manger (dhcp-server activation-criteria rf-domain-manager). There were some bugs around this in earlier wing versions, so make sure you use the latest.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-05-2017 06:37 PM
Hi Andrew!
The scenario is similar, but the AP is connected in the LAN.
And have some question....
For example if define vlan15 (inside) is neccesary define IP in the interface!? Can DHCP server work if not !? or IP is neccesary in all AP or only in the VAP!?
Can define static nat using 1 IP for outside!? is neccesary create a VLAN with outside for this!?
Thx
pd: the idea is define a wireless without easy access to lan but with controlled access to wan using external firewall like fortigate, firewall is not in the side where is AP.
The scenario is similar, but the AP is connected in the LAN.
And have some question....
For example if define vlan15 (inside) is neccesary define IP in the interface!? Can DHCP server work if not !? or IP is neccesary in all AP or only in the VAP!?
Can define static nat using 1 IP for outside!? is neccesary create a VLAN with outside for this!?
Thx
pd: the idea is define a wireless without easy access to lan but with controlled access to wan using external firewall like fortigate, firewall is not in the side where is AP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-05-2017 06:13 PM
The PDF is a good in-depth explanation, but sometimes just seeing a working config helps...
Here's a sample CLI config for a setup with 1 AP connected directly to a cable modem, with all the important bits...This may or may-not apply to your situation.
ip access-list Internet_ACL
permit udp any eq 68 any eq dhcps rule-precedence 40
permit udp any eq 67 any eq dhcpc rule-precedence 50
permit tcp remote_management_ip any eq https rule-precedence 60
permit tcp remote_management_ip any eq ssh rule-precedence 65
deny ip any any log rule-precedence 100 ip access-list NAT_inside
deny ip 192.168.1.0/24 192.168.0.0/16 rule-precedence 50
permit ip 192.168.1.0/24 any rule-precedence 100
dhcp-server-policy default
dhcp-pool Wireless
network 192.168.1.0/24
address range 192.168.1.100 192.168.1.254
domain-name example.com
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4wlan wireless
ssid wireless
vlan 2
bridging-mode local
encryption ccmp
authentication-type none
wpa-wpa2 psk 0 passw0rd1
ap6532 xx-xx-xx-xx-xx-xxinterface radio1
wlan wireless bss 1 primary
interface radio2
wlan wireless bss 1 primary
interface vlan1
description Internet
ip address dhcp
ip dhcp client request options all
use ip-access-list in Internet_ACL
ip nat outsideinterface vlan2
description Clients
ip address 192.168.1.1/24
no ip dhcp client request options all
ip nat inside
use dhcp-server-policy defaultip nat inside source list NAT_inside interface vlan1 overload
Here's a sample CLI config for a setup with 1 AP connected directly to a cable modem, with all the important bits...This may or may-not apply to your situation.
- There are 2 ACLS, the first one to control what can access the AP remotely, the second one controls how NAT is applied; specifically the deny entry controls NO-NAT behaviour, while permit entry defines what is NATted.
- A DHCP server policy to assign IP addresses to clients
- The WLAN definition itself, note that clients are put on VLAN 2.
- In the device config, vlan1 is considered to be the directly connected to the Internet on which the Internet_ACL is applied, and vlan2 which is local to the AP has the wireless clients on it.
- Note the use of the ip nat commands, these control which interfaces are Inside and Outside, as well as how to apply the NAT.
ip access-list Internet_ACL
permit udp any eq 68 any eq dhcps rule-precedence 40
permit udp any eq 67 any eq dhcpc rule-precedence 50
permit tcp remote_management_ip any eq https rule-precedence 60
permit tcp remote_management_ip any eq ssh rule-precedence 65
deny ip any any log rule-precedence 100 ip access-list NAT_inside
deny ip 192.168.1.0/24 192.168.0.0/16 rule-precedence 50
permit ip 192.168.1.0/24 any rule-precedence 100
dhcp-server-policy default
dhcp-pool Wireless
network 192.168.1.0/24
address range 192.168.1.100 192.168.1.254
domain-name example.com
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4wlan wireless
ssid wireless
vlan 2
bridging-mode local
encryption ccmp
authentication-type none
wpa-wpa2 psk 0 passw0rd1
ap6532 xx-xx-xx-xx-xx-xxinterface radio1
wlan wireless bss 1 primary
interface radio2
wlan wireless bss 1 primary
interface vlan1
description Internet
ip address dhcp
ip dhcp client request options all
use ip-access-list in Internet_ACL
ip nat outsideinterface vlan2
description Clients
ip address 192.168.1.1/24
no ip dhcp client request options all
ip nat inside
use dhcp-server-policy defaultip nat inside source list NAT_inside interface vlan1 overload
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-05-2017 05:53 PM
Here's a link to the how-to document for your perusal: http://documentation.extremenetworks.com/ExtremeWireless/NETWORK_ADDRESS_TRANSLATION_HTG_EN.pdf
Please go over it and let us know if it helps.
Regards,
Chris
Please go over it and let us know if it helps.
Regards,
Chris
Christoph S.
