07-19-13 Expert Day

Reply
Occasional Contributor II

Default Gateway / Firewall

The default gateway for our network is our core network switch.  Due to some of the routing we need to do and changes we need to make from time to time  this works betters then using our firewall.  The core switch routes all internet traffic to the firewall.  We have our guest network set up with the virtual gateway which also routes to the core switch.  To allow internet traffic to reach the firewall we need to allow access to it (the firewall) explicitly.  So one can reach the firewall through the wireless guest network (and sign on to it with the correct credentials).  Is there a safer or better way to set this up so users on the guest network cannot get access to the firewall directly but still route internet traffic to it?  Thanks

Aruba Employee

Re: Default Gateway / Firewall

We can use the create ACL in the role to block the guest user access the firewall. 

 

 

any   host  <firewall IP>  any  deny  log. 

 

The above session ACL will deny the traffic with destination IP as Firewall IP and  it will log the entry so we can identiy which Ip address is try to access the firewall directly.

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Occasional Contributor II

Re: Default Gateway / Firewall

Will users still have the ability to route traffic through the firewall (browse the internet) with this setting? 

Aruba Employee

Re: Default Gateway / Firewall

Yes, they will. 

 

When you are doing routing, only the source & destination  Mac address changes. your source & destination IP will be the same. 

when you do NAT your source IP will be changed but the destination IP will be the same.  The Above acl will see the destination, if the guest user is trying to access the firewall. teh destination IP will be firewall Ipand the traffic will be dropped. if he is trying to go online, let say google, the destination Ip will be google not  the firewall Ip so that traffic will be allowed. 

 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: