https://community.cisco.com/t5/wireless/5508-controller-office-extended-setup/m-p/4189760#M223623 Nat is only available on the management interface configuration. As long as there are no internal AP’s connected you do not have to issue this command. <BR /><BR />config network ap-discovery nat-ip-only disable<BR /><BR />As far as SSO, you are changing the management IP address to a public ip so that you need to consider. I would think you would need to break HA. <BR />Why not break sso and use the other controller for OEAP. There is no real benefit for SSO for guest anchor. <BR /> Fri, 27 Nov 2020 15:26:28 GMT Scott Fella 2020-11-27T15:26:28Z https://community.cisco.com/t5/wireless/5508-controller-office-extended-setup/m-p/4189625#M223604 <P>Hello Team,</P><P>we are doing office extended setup on cisco 5508 controller with 8.5.135 airos and 2702i access point</P><P>controller is behind firewall</P><P>our 5508 controller is not dedicated for the OEAP setup our controller working as gust anchor controller also it is in HA,</P><P>destination Nat is present on the firewall,</P><P>On firewall we have the port 5246 and 5247 open for real ip to join the controller,</P><P>currently NAT ip is not&nbsp; configured in mgmt. interface of 5508 controller, option is grid out in mgmt. interface of 5508 controller as it is in HA&nbsp;</P><P>&nbsp;</P><P>Query</P><P>1. Is it mandatory to have the NAT on the 5508 management interface only ? or we can do NAT on other part of network(on firewall facing towards DMZ-internet).</P><P>Because we did the&nbsp; destination NAT on the firewall side for the management ip of our controller</P><P>Request of the 2702i coming to the controller using real ip , discovery response also going from wlc to destination real ip, next exchange is lost somewhere</P><P>2. our wlc has 8.5.135 license we don't require special DTLS license as it already has DATA+Wplus in existing airos right?</P><P>3. if we configure the NAT directly on the MGMT interface we need to break HA, enable NAT, again build HA, and we have the guest mobility tunnel to private ip to all other sites , does it will be problem for this tunnels.</P><P>&nbsp;</P><P>Many thanks</P><P>Shrikant</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 05 Jul 2021 19:50:12 GMT https://community.cisco.com/t5/wireless/5508-controller-office-extended-setup/m-p/4189625#M223604 ShrikantGAIKWAD69594 2021-07-05T19:50:12Z https://community.cisco.com/t5/wireless/5508-controller-office-extended-setup/m-p/4189760#M223623 Nat is only available on the management interface configuration. As long as there are no internal AP’s connected you do not have to issue this command. <BR /><BR />config network ap-discovery nat-ip-only disable<BR /><BR />As far as SSO, you are changing the management IP address to a public ip so that you need to consider. I would think you would need to break HA. <BR />Why not break sso and use the other controller for OEAP. There is no real benefit for SSO for guest anchor. <BR /> Fri, 27 Nov 2020 15:26:28 GMT https://community.cisco.com/t5/wireless/5508-controller-office-extended-setup/m-p/4189760#M223623 Scott Fella 2020-11-27T15:26:28Z