https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905831#M170640 <P>Hi,<BR /><BR />I’m working on a design at the moment where the customer runs a Zero Trust model, The customer has multiple sites with no WAN. All traffic is Internet based towards there cloud provider where they run SAML aware proxies to permit access to their applications. They are cloud heavy and have no on-prem services.</P><P><BR />Meraki works well for them to provide untrusted WiFi access, however we have a situation where I need to run Aireos /IOSXE on one of the sites due to the high density and feature requirements.</P><P><BR />Is it possible for the AP to be behind NAT (option 43 on the router pointing towards a Public IP) and in the cloud environment NAT the Public IP to the MGMT interface of the controller, controller configured for FLEX (9800 Controller).</P><P>&nbsp;</P><P>I’ve tested this and can see in the DTLS packet the controller is returning its real address and hence the AP doesn’t register as it doesn’t have routing access to the RFC1918 address the controller is on.</P><P><BR />Thanks</P> Mon, 05 Jul 2021 17:49:53 GMT rgreville666 2021-07-05T17:49:53Z https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905831#M170640 <P>Hi,<BR /><BR />I’m working on a design at the moment where the customer runs a Zero Trust model, The customer has multiple sites with no WAN. All traffic is Internet based towards there cloud provider where they run SAML aware proxies to permit access to their applications. They are cloud heavy and have no on-prem services.</P><P><BR />Meraki works well for them to provide untrusted WiFi access, however we have a situation where I need to run Aireos /IOSXE on one of the sites due to the high density and feature requirements.</P><P><BR />Is it possible for the AP to be behind NAT (option 43 on the router pointing towards a Public IP) and in the cloud environment NAT the Public IP to the MGMT interface of the controller, controller configured for FLEX (9800 Controller).</P><P>&nbsp;</P><P>I’ve tested this and can see in the DTLS packet the controller is returning its real address and hence the AP doesn’t register as it doesn’t have routing access to the RFC1918 address the controller is on.</P><P><BR />Thanks</P> Mon, 05 Jul 2021 17:49:53 GMT https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905831#M170640 rgreville666 2021-07-05T17:49:53Z https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905884#M170641 Not sure if this is possible. Is the AP for OEAP configured? That is in the AP configuration under FlexConnect and named "Enable OfficeExtend AP" (at least on the 8.5.x code for the 5520). <BR />Have you configured the public facing IP address on the AP under High Availability (plus the WLC name as configured under Controller -General - Name). <BR />If that doesn't work, you probably need a VPN between the sites, but I think it should work. <BR /><BR />Also check this: <A href="https://community.cisco.com/t5/other-wireless-mobility-subjects/wlc-nat-feature-problem-for-oeap/td-p/2632340" target="_blank">https://community.cisco.com/t5/other-wireless-mobility-subjects/wlc-nat-feature-problem-for-oeap/td-p/2632340</A> Fri, 09 Aug 2019 09:35:40 GMT https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905884#M170641 patoberli 2019-08-09T09:35:40Z https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905899#M170642 <P>Hi, Thanks for the reply. This is on a 9800 IOSXE controller.. I think this is what im looking for.. "<SPAN>config network ap-discovery nat-ip-only</SPAN><STRONG>"</STRONG> I can't seem to find that on the new controller.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 09 Aug 2019 09:57:51 GMT https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905899#M170642 rgreville666 2019-08-09T09:57:51Z https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905908#M170643 In that case, I suggest to open a TAC, the 9800 platform is still very new and doesn't yet have all features of the AireOS controllers.<BR /><BR /><BR /> Fri, 09 Aug 2019 10:38:59 GMT https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905908#M170643 patoberli 2019-08-09T10:38:59Z https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905989#M170644 <P><A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/release-notes/rn-16-10-9800.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/release-notes/rn-16-10-9800.html</A></P><DIV class="container grid"><DIV class="row blowout wide-narrow-v2 visitedlinks"><DIV class="col wide-v2"><DIV><H2>Guidelines and Restrictions</H2><DIV class="body conbody"><H3>Software</H3><UL><LI><P class="p">AP connection over network address translation (NAT) and port address translation (PAT) is not supported.</P></LI><LI><P class="p">Mobility NAT is not supported.</P></LI></UL></DIV></DIV></DIV></DIV></DIV> Fri, 09 Aug 2019 13:25:01 GMT https://community.cisco.com/t5/wireless/capwap-though-nat-ap-side-and-controller-side/m-p/3905989#M170644 Rich R 2019-08-09T13:25:01Z