Manualshelf

Management and Configuration Guide (Includes ACM xl) 2005-12

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
2-22 ProCurve Secure Access 700wl Series Management and Configuration Guide
Using the 700wl Series System
but when the client’s DHCP lease expires, it might successfully get a valid real IP address, which
would be used as the source IP instead of a NAT address.
•If NAT is never allowed (the Access Policy NAT setting is
Never) the Access Controller or Integrated
Access Manager always uses the client’s real IP address (as obtained via DHCP) or its static IP
address. If the address is valid (falls within the port subnet range if one is defined, or else within the
Access Controller’s subnet range), the address is left untouched as the source address in packets
going to the network. If the client’s IP address is not valid, however, traffic to and from the client is
dropped.
Caution:
This setting is intended for use only in special cases. It should not be used for normal
clients, including Access Points and other devices.
Note: It is recommended that you configure your IP address mode consistently across Access Policies
that are related. For example, you should use the same NAT mode in the Access Policy you configure for
unauthenticated clients and in the Access Policies that will affect those clients after they have
authenticated.
Although NAT is used by default in the 700wl Series system, you can elect whether to use NAT or to
allow real IP addresses, depending on your application. Allowing the 700wl Series system to use NAT
has several benefits, especially in relation to roaming:
NAT makes roaming much more efficient. Because each NAT address is unique across the entire
700wl Series system, when the client roams to a different Access Controller its sessions can actually
be moved to the new Access Controller rather than being tunneled back through the original Access
Controller. If the client is using a real IP address, all sessions must be tunneled back through the
original Access Controller.
NAT provides some amount of protection to a client since no device other than the Access
Controller can talk directly to the client. This provides rudimentary firewall protection.
Allowing NAT can ensure that a client will be able to successfully communicate with the network.
If NAT is not allowed, and a client has an IP address that is not within the subnet used by the Access
Controller, return packets will not be able to reach it. This can occur if the client uses a static IP
address or receives an IP address from an external DHCP server.
However, certain applications may require a host or server system to know the actual IP address of a
client. Some examples include multi-player games, file transfer in Instant Messenger applications, and
other peer-to-peer applications.
There is one case where NAT will always be used, regardless of the NAT setting specified by the Access
Policy and that is when PPTP/L2TP is enabled as an encryption protocol.
NAT and VPN Tunneling
The use of VPN tunneling affects IP addressing and NAT. If PPTP or L2TP is enabled for an Access
Policy, then addressing works as follows:
The initial DHCP request is taken to be a request for an outer tunnel address, and NAT is always
used regardless of the NAT setting in the Access Policy.
Note:
A side-effect of this behavior is that if encryption is “Allowed but not Required” in the Access
Policy, and a client connects without using a tunneling protocol, that client will always receive a NAT
IP address upon making a DHCP request. The client will avoid being NAT’ed only if the client’s group
allows static IP addresses, and the client actually uses a static IP address.