10-20-2011 05:18 AM - edited 07-03-2021 08:57 PM
I have got a 3502 setup anf functioing in Office Extend mode. I have found one issue though. I have to set the checkbox on the my Management Interface to Enable NAT Address and put the external address in the box. Once this occurs no internal APs can join the controller.
Does anyone have any ideas on setting this up with a single controller behind a router and not having to set the NAT Address for the Management interface? Should I setup a second interface on the controller to be for external management?
10-20-2011 06:21 AM
there was a defect raised against this, and I thought it was fixed in later 6.0 and 7.0 codes.
There is a workaround to this as well. Basically you need the FW rules to allow the internal ap to hairpin back into the network to reach the NAT address.
HTH,
Steve
Sent from Cisco Technical Support iPad App
10-20-2011 06:27 AM
When you say the FW, are you talking about the remote side or the corporate side?
10-20-2011 06:55 AM
where the controller is.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
10-20-2011 07:22 AM
I think I just saw what you mean. I have the NAT statement in there but no Access-List for the UDP ports needed. That is what you are referencing correct?
10-20-2011 08:12 AM
I wanted to chime in with a quick comment. If you give your WLC an outside address you can avoid the NAT all together.
10-20-2011 08:18 AM
Then how would my internal APs connect?
Sent from Cisco Technical Support iPad App
10-20-2011 08:26 AM
From the inside (dpending on your FW rules) you should be able to hit the DMZ becuase you are more TRUSTED. You can of course lock it down to ports from inside to DMZ and only allow the APs traffic and client traffic to pass. But most people from the inside allow traffic to the DMZ. And then restrict from the DMZ back in ...
10-20-2011 08:40 AM
Since we are small, I only have a single controller and no true DMZ per se. I have setup an ACL just haven't tested it yet.
Sent from Cisco Technical Support iPad App
10-20-2011 08:46 AM
Ok, well no worries. As Steve pointed out there is/was a NAT issue on earlier code. I think it was fixed in M1. but again, if you give the WLC an outside address and protect it with ACLs from the outside and allow your internal folks to hit it from the inside you should be ok. But again, I dont know how your network is designed or your specific design requirements. Please take these as suggestions as they may apply.
Perhaps Steve can add to this as well...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide