Filter
Top Products
Configuring Rights
address is valid if it falls within that address range. If the address does not fall within the port’s
address range, NAT is used, even if the address is within the Access Controller’s subnet.
— If there is no range assigned for the port, then the client’s IP address is valid if it falls within the
Access Controller’s subnet. NAT is used only if it is not within that subnet.
If the IP address is not valid, the Access Controller assigns a private IP address and rewrites the
source address in packets.
Note: With this setting it is possible that a client might receive a NAT‘ed address initially, but when
the client‘s DHCP lease expires, it might successfully get a valid real IP address, which would be
used as the source IP instead of a NAT‘ed address.
• If NAT is never allowed (the Access Policy NAT setting is
Never) the Access Controller or Integrated
Access Manager always uses the client’s real IP address (as obtained via DHCP) or its static IP address.
If the address is valid on the port or Access Controller subnet, the address is left untouched as the
source address in packets going to the network. If the client’s IP address is not valid, however, traffic
to and from the client is dropped.
Caution: This setting is intended for use only in special cases. It should not be used for normal
clients, including Access Points and other devices.
Note: It is recommended that you configure your IP address mode consistently across Access Policies
that are related. For example, you should use the same NAT mode in the Access Policy you configure
for unauthenticated clients and in the Access Policies that will affect those clients after they have
authenticated.
Using NAT has a number of benefits for the 700wl Series system, especially in relation to roaming. If a
client has a NAT’ed IP address, when it roams to a different Access Controller its sessions can actually be
moved to the new Access Controller rather than being tunneled back through the original Access
Controller. If the client is using a real IP address, all sessions must be tunneled back through the original
Access Controller.
NAT and VPN Tunneling
The use of VPN tunneling affects IP addressing and NAT. If PPTP or L2TP is enabled for a location (via
the Specify Encryption per Location page), then addressing works as follows:
• The first DHCP request is taken to be a request for an outer tunnel address, and NAT is always used
regardless of the NAT setting in the Access Policy.
Note: A side-effect of this behavior is that if encryption is —Allowed but not Required“ in the Access
Policy, and a client connects without using a tunneling protocol, that client will always receive a
NAT‘ed IP address upon making a DHCP request. The client will avoid being NAT‘ed only if the
client‘s group allows static IP addresses, and the client actually uses a static IP address.
• The inner tunnel address is assigned per the Access Policy NAT setting, as discussed above. However,
if Real IP mode is used, the client’s IP address is assigned as specified through the Tunneling
Configuration page—either via the external DHCP service or from a specified address range.
4-48 HP ProCurve Secure Access 700wl Series Management and Configuration Guide