Office Extend Mode

nshoe18 · ‎10-20-2011

I have got a 3502 setup anf functioing in Office Extend mode. I have found one issue though. I have to set the checkbox on the my Management Interface to Enable NAT Address and put the external address in the box. Once this occurs no internal APs can join the controller.

Does anyone have any ideas on setting this up with a single controller behind a router and not having to set the NAT Address for the Management interface? Should I setup a second interface on the controller to be for external management?

Stephen Rodriguez · ‎10-20-2011

there was a defect raised against this, and I thought it was fixed in later 6.0 and 7.0 codes.

There is a workaround to this as well. Basically you need the FW rules to allow the internal ap to hairpin back into the network to reach the NAT address.

HTH,

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

nshoe18 · ‎10-20-2011

When you say the FW, are you talking about the remote side or the corporate side?

Stephen Rodriguez · ‎10-20-2011

where the controller is.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

nshoe18 · ‎10-20-2011

I think I just saw what you mean. I have the NAT statement in there but no Access-List for the UDP ports needed. That is what you are referencing correct?

George Stefanick · ‎10-20-2011

I wanted to chime in with a quick comment. If you give your WLC an outside address you can avoid the NAT all together.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

nshoe18 · ‎10-20-2011

Then how would my internal APs connect?

Sent from Cisco Technical Support iPad App

George Stefanick · ‎10-20-2011

From the inside (dpending on your FW rules) you should be able to hit the DMZ becuase you are more TRUSTED. You can of course lock it down to ports from inside to DMZ and only allow the APs traffic and client traffic to pass. But most people from the inside allow traffic to the DMZ. And then restrict from the DMZ back in ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

nshoe18 · ‎10-20-2011

Since we are small, I only have a single controller and no true DMZ per se. I have setup an ACL just haven't tested it yet.

Sent from Cisco Technical Support iPad App

George Stefanick · ‎10-20-2011

Ok, well no worries. As Steve pointed out there is/was a NAT issue on earlier code. I think it was fixed in M1. but again, if you give the WLC an outside address and protect it with ACLs from the outside and allow your internal folks to hit it from the inside you should be ok. But again, I dont know how your network is designed or your specific design requirements. Please take these as suggestions as they may apply.

Perhaps Steve can add to this as well...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________