Filter
Top Products
Using the 700wl Series System
You specify the addressing mode for a client through the Access Policy. The 700wl Series system default
is NAT mode.
Note:
If PPTP or L2TP is enabled in the Access Policy, then the NAT setting only affects how the inner
tunnel address is assigned. The outer tunnel address is always NAT‘ed. See the discussion in NAT and VPN
Tunneling on page 2-23 for a more detailed explanation of how this is handled.
The NAT settings affect client IP addressing as follows:
• If NAT is required (the Access Policy NAT setting is
Always) then the Access Controller or
Integrated Access Manager always uses NAT mode. Static IP addresses are translated, and client
DHCP requests are satisfied by the Access Controller’s internal DHCP server, and are then
translated.
• If NAT is not required, but is allowed (the Access Policy NAT setting is
When Necessary) then the
client’s real or static IP address is used unless the IP address is not valid. Client DHCP requests are
satisfied by the external DHCP server, and the resulting address is used. A static IP addresses is
used as is, unless it is determined to be not valid.
The validity of the client IP address is determined as follows:
— If the Access Controller port through which the client is connected has an IP address range
configured for it (through the Subnet tab under Interfaces in the Rights Manager) then an IP
address is valid if it falls within that range. If the address does not fall within the port’s address
range, the address is considered invalid, and NAT is used, even if the address is within the Access
Controller’s subnet.
— If there is no range assigned for the port, then the client’s IP address is valid if it is within the Access
Controller’s subnet. NAT is used only if the address is not within that subnet.
If the IP address is not valid, the Access Controller assigns a private IP address and rewrites the
source address in packets. With this setting it is possible that a NAT address might be used initially,
but when the client’s DHCP lease expires, it might successfully get a valid real IP address, which
would be used as the source IP instead of a NAT address.
• If NAT is never allowed (the Access Policy NAT setting is
Never) the Access Controller or Integrated
Access Manager always uses the client’s real IP address (as obtained via DHCP) or its static IP
address. If the address is valid (falls within the port subnet range if one is defined, or else within the
Access Controller’s subnet range), the address is left untouched as the source address in packets
going to the network. If the client’s IP address is not valid, however, traffic to and from the client is
dropped.
Caution:
This setting is intended for use only in special cases. It should not be used for normal
clients, including Access Points and other devices
.
Note:
It is recommended that you configure your IP address mode consistently across Access Policies
that are related. For example, you should use the same NAT mode in the Access Policy you configure for
unauthenticated clients and in the Access Policies that will affect those clients after they have
authenticated.
Although NAT is used by default in the 700wl Series system, you can elect whether to use NAT or to
allow real IP addresses, depending on your application. Allowing the 700wl Series system to use NAT
has several benefits, especially in relation to roaming:
• NAT makes roaming much more efficient. Because each NAT address is unique across the entire
700wl Series system, when the client roams to a different Access Controller its sessions can actually
be moved to the new Access Controller rather than being tunneled back through the original Access
2-22 HP ProCurve Secure Access 700wl Series Management and Configuration Guide