05-24-2023 02:01 AM
Hi Pack,
We have a local SmartZone (vSZ-H) that we host for our end customers. We use a control NAT IP for the end customers, so they can connect to our SmartZone. Once their AP's are connected, they also receive our internal IP as well on the AP/switch ("get scg ip" shows the internal IP and the NAT IP).
Is it possible to hide the internal IP? So when the AP/switch is connected, they don't receive the internal IP - only the NAT IP which they use to make their connection.
thanks!
06-15-2023 03:19 PM
Hi @lienmonden ,
There are two ways of deploying this, Lets assume you have Site A and Site B.
Type 1.
Run Site to Site VPN between the two Sites and NAT internal IP of SZ's and AP's so that their subnets are reachable across the Sites, Firewall Rules has to be configured accordingly.
Type - 2
1. Nat SZ/vSZ Internal IP on the Site 'A' Firewall's Public IP so that it could be reached on the Internet, you have to open ports for AP-Controller communication mentioned in Admin Guide.
2. Now, you should be able to access vSZ using the Public IP A.A.A.A, on the Site 'B' Firewall you have to open ports for AP-Controller Communication mentioned in Admin Guide.
3. For this to work seamlessly you should configure rules on both Site's Firewall so that there are no reachability issues.
In both these methods you don't have to configure NAT IP on the SZ/VSZ. If you have AP's deployed in the same site as vSZ/SZ you have to direct the AP to reach SZ/VSZ internal IP.
When Onboarding each site you have to configure rules on both Firewall's so there aren't any connectivity issues between each site.
There is lot of work that needs to be done on the firewall, just to hide your vSZ's internal IP on the AP and you should watch the latency too so that AP's don't lose any heart beats.
In your setup please check the connectivity of the vSZ from remote site by removing the NAT IP on the vSZ, if you don't set correct configurations on the firewall you may have connectivity issues.
I currently use Type 1 as I have few APs (less than 100) on the remote Sites.
Hope it helps!!!
May the One Force be with You!!!
Regards,
Abilash
06-15-2023 12:38 AM
Hi @lienmonden
Since controller is behind NAT, we have to configure Control NAT IP. Please get output of "show interface" from the controller CLI and "get scg" from AP CLI.