05-01-2017 07:55 PM - edited 07-05-2021 06:57 AM
Hi all,
I was wondering if someone can tell me the mechanics of Flex Connect split-tunnelling, more specifically when the SSID is tunnelled to a WLC housed in a DMZ for Internet only access? How does the wireless client access those split tunneled resources when the client IP address technically exists in the DMZ and not at the local site. How does it route to the destination hosts in the split tunnel? I'm guessing some for of NAT is involved?
I have a client with a Guest SSID who require access to a local subnet at each one of it's branch offices and need to determine the data flows as they have several firewalls throughout the environment.
Thanks,
-Brett
Solved! Go to Solution.
05-01-2017 09:35 PM
G'day Brett!
You're correct with your assumption of a NAT when you create an access-list that matches your local traffic e.g. permit 0.0.0.0 to 192.168.0.0/24 and apply that to your Flex AP (or use a WLAN-ACL mapping in FlexGroup).
After applying the split-tunnel ACL to the Flex AP it will create a NAT on its BVI with the interesting traffic being whatever you have defined in the ACL.
Cheers,
Ric
05-01-2017 09:35 PM
G'day Brett!
You're correct with your assumption of a NAT when you create an access-list that matches your local traffic e.g. permit 0.0.0.0 to 192.168.0.0/24 and apply that to your Flex AP (or use a WLAN-ACL mapping in FlexGroup).
After applying the split-tunnel ACL to the Flex AP it will create a NAT on its BVI with the interesting traffic being whatever you have defined in the ACL.
Cheers,
Ric
05-01-2017 10:21 PM
Thanks Ric!
I was hoping it was the AP that did the NAT. This means no changes required from a Firewall perspective in my client's scenario. :-)
-Brett
05-02-2017 04:04 AM
No worries, good luck with the design!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide