Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ARP NAT Hell!

 

Hi All,

 

Please see the attached diagram.

I have a customer whose AAA server is behind a firewall. It will only accept RADIUS packets from one source address - 192.168.46.1

In order to facilitate this, I have added a router to statically NAT the RADIUS source to  the correct address.

From the WLC (RADIUS source) I can ping the 46.1 address of the router. I cannot ping the 46.254 address from the WLC

From the router however, I can ping 46.252 - 254 so I know they reply. I have assumed that the non-Cisco firewall is running VRRP with .254 as the VIP.

If I send a test RADIUS auth request from the WLC, I see the router translate the outbound packets but nothing comes back.

Any thoughts anyone?

Everyone's tags (1)
4 REPLIES
New Member

Couple of thoughts

Couple of thoughts/questions

How is that firewall working? Is it just a L2/Virtual Wire setup? By the looks of the connections and IP addresses, it must be L2. But any time I've worked on firewalls at L2, they don't have IP addresses assigned to their interfaces that pass traffic. That's usually done in a routed configuration and they are on different subnets. These are on the same subnet but are on 2 different interfaces.

The MAC addresses look odd also, a little off from typical vrrp. If the firewall was running vrrp on .254, then it should be in the arp table, which it's not included in the snippet you provided. The mac address for .252 indicates the vendor is Nexcom, which I'm not familiar with.

Also, if there's vrrp, is there a second firewall unit not shown on your drawing? Can you ping the radius server from the router?

New Member

Hi there, The firewall must

Hi there,

 

The firewall must be in routed mode.

I agree that the MAC addresses look messed up:

Internet  192.168.46.254          0   0000.5e00.0002  ARPA   FastEthernet0/0

Internet  192.168.46.252         84   0010.f333.c916  ARPA   FastEthernet0/0

Internet  192.168.46.253          0   0000.5e00.0002  ARPA   FastEthernet0/0

Internet  192.168.46.250        144   0000.5e00.0002  ARPA   FastEthernet0/0

Internet  192.168.46.251        144   0000.5e00.0002  ARPA   FastEthernet0/0

I have recreated the environment in GNS3 and it works perfectly. That is with a router interface mimicking the customer firewall.

 

The site firewall is a pair of appliances which my drawing does not show.

They must be NATing the 192.168.46.x/24 network to another private subnet where the RADIUS server resides.

In answer to your question, I cannot ping the RADIUS server from the router but I am told by their security team that there is an ACL blocking inbound ICMP requests.

 


 

New Member

What does the security team

What does the security team see in their logs for the RADIUS attempts from .46.1?

New Member

That their firewall config

That their firewall config was bunkum.

They have amended their config and it's all working fine :)

Thank you for your input. Logic said that the problem was on their side but the ICMP issue threw me.

Thanks again,

 

Jason

296
Views
0
Helpful
4
Replies
CreatePlease login to create content