Management and Configuration Guide (Includes ACM xl) 2005-12
ProCurve Secure Access 700wl Series Management and Configuration Guide 2-21
Using the 700wl Series System
Addressing in the 700wl Series System
Clients connected to Access Controller or Integrated Access Manager ports can obtain an IP address in
one of three ways:
• Network Address Translation (NAT) mode: The Access Controller (or Integrated Access Manager)
responds to a DHCP request from a client with a “private” IP address in the subnet configured for
NAT (by default, the 42.0.0.1 subnet). Packets sent by the client have their private IP address and
port replaced with the IP address of the Access Controller and a port number that is unique within
the 700wl Series system (NAT and PAT functions). Packets received by an Access Controller from
the network sent in reply to the NAT/PAT packets are relayed to the appropriate client with the
destination IP address and port number rewritten as appropriate. The Access Controller maintains
a connection table to map return packets back to their destination.
• Real IP mode (also known as dynamic IP mode): The client sends a DHCP request for an IP address
to the Access Controller, which the Access Controller passes on to an external DHCP server. By
default, (no port subnetting is configured) this DHCP request obtains an IP address on the Access
Controller's subnet. Subsequent packets received by the Access Controller with that IP address as
the destination are forwarded to the appropriate client. Packets from the client to the network do
not have their source IP address or source port number rewritten.
• Static IP mode: The client uses a pre-assigned IP address, which must be on the Access Controller's
subnet. Packets received by the Access Controller with this static IP address as the destination are
forwarded to the appropriate client. Packets from the client to the network do not have their source
IP address or source port number rewritten.
You specify the addressing mode for a client through the Access Policy. The 700wl Series system default
is NAT mode.
Note:
If PPTP or L2TP is enabled in the Access Policy, then the NAT setting only affects how the inner
tunnel address is assigned. The outer tunnel address is always NAT’ed. See the discussion in “NAT and
VPN Tunneling” on page 2-22 for a more detailed explanation of how this is handled.
The NAT settings affect client IP addressing as follows:
• If NAT is required (the Access Policy NAT setting is
Always) then the Access Controller or
Integrated Access Manager always uses NAT mode. Static IP addresses are translated, and client
DHCP requests are satisfied by the Access Controller’s internal DHCP server, and are then
translated.
• If NAT is not required, but is allowed (the Access Policy NAT setting is
When Necessary) then the
client’s real or static IP address is used unless the IP address is not valid. Client DHCP requests are
satisfied by the external DHCP server, and the resulting address is used. A static IP addresses is
used as is, unless it is determined to be not valid.
The validity of the client IP address is determined as follows:
— If the Access Controller port through which the client is connected has an IP address range
configured for it (through the Subnet tab under Interfaces in the Rights Manager) then an IP
address is valid if it falls within that range. If the address does not fall within the port’s address
range, the address is considered invalid, and NAT is used, even if the address is within the Access
Controller’s subnet.
— If there is no range assigned for the port, then the client’s IP address is valid if it is within the
Access Controller’s subnet. NAT is used only if the address is not within that subnet.
If the IP address is not valid, the Access Controller assigns a private IP address and rewrites the
source address in packets. With this setting it is possible that a NAT address might be used initially,