Sample NAT-mode ESI Topology

This section describes the configuration for a sample NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-mode topology using the managed device and three external captive-portal servers. NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. mode uses a trusted interface for each external captive-portal server and a different destination port to redirect a packet to a port other than the original destination port in the packet. An example topology is shown below in Figure 2.

Figure 1   Example NAT-Mode Topology

Click to view a larger size.

Figure 2  

Click to view a larger size.

In this example, all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic received by the managed device is redirected to the external captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server group and load-balanced across the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. servers. All wireless client traffic with destination port 80 is redirected to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server group, with the new destination port 8080.

 

The external servers do not necessarily have to be on the subnet Subnet is the logical division of an IP network. as the managed device. The policy that redirects traffic to the external servers for load balancing is routed to the external servers if they are on a different subnet Subnet is the logical division of an IP network..

In the topology shown, the following configurations are entered on the managed device and external captive-portal servers:

ESI server configuration on the managed device

External captive-portal server 1:

Name = external_cp1

Mode = NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

Trusted IP address = 10.1.1.1

Alternate destination port = 8080

External captive-portal server 2:

Name = external_cp2

Mode = NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

Trusted IP address = 10.1.1.2

External captive-portal server 3:

Name = external_cp3

Mode = NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

Trusted IP address = 10.1.1.3

Health-check ping:

Name = externalcp_ping

Frequency = 30 seconds

Retry-count = 2 attempts

Timeout = 2 seconds (2 seconds is the default)

ESI External Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. group = external_cps

Session ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.

Name = cp_redirect_acl Access Control List. ACL is a common way of restricting certain types of traffic on a physical port.

Session policy = user any svc‑http redirect esi‑group external_cps direction both