Reply
Occasional Contributor II

Internet block

We have an acees rule to allow 192.168.3.3 (one servers).  Block all other 192.68.0.0. And rule toallow all other traffic.  No one can browse.  This what our log show:  FYI 100.4 is our firewall

 

Jul 19 14:36:35  stm[1068]: <124006> <WARN> |AP Office@192.168.101.18 stm|  UDP srcip=192.168.101.133 srcport=52409 dstip=192.168.100.4 dstport=53, action=deny

Aruba Employee

Re: Internet block

you are vblocking 192.68.0.0. is /24 or /16 ?

 

if its /16, your traffic will be blocked as per ur acl configured. if its /24,  please provide me the output of show rights <user-role > output. 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Aruba Employee

Re: Internet block

 

 

Hi smedwetz

 

Way to interpret the log is ::

 

An user (192.168.101.133) connected to AP named Office (IP 192.168.101.18) tried to access firewall (192.168.100.4 ) on UDP port 53 and was blocked. 

 


smedwetz wrote:

 

Jul 19 14:36:35  stm[1068]: <124006> <WARN> |AP Office@192.168.101.18 stm|  UDP srcip=192.168.101.133 srcport=52409 dstip=192.168.100.4 dstport=53, action=deny


 

Your access rule seem to work. 

 


smedwetz wrote:

We have an acees rule to allow 192.168.3.3 (one servers).  Block all other 192.68.0.0. And rule toallow all other traffic.  No one can browse.  This what our log show:  FYI 100.4 is our firewall 

 




Thank you,

Regards,

Vijay Rajasimhan | Principal Network Engineer
Customer Advocacy | Aruba Networks

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Aruba Employee

Re: Internet block

looks like the dns query is being sent to 192.168.100.4 and is getting blocked due to the acl rule in place ( Block all other 192.68.0.0 ). is the DHCP server /DNS server in a different subnet than 192.168.0.0 ?

 

 

 

Occasional Contributor II

Re: Internet block

Getting parse error on show rights.  Also what is or how do I determine user-role?  Please include syntax. 

Occasional Contributor II

Re: Internet block

DNS and Firewall are both on same network.  Do I need to allow the IP's of the DN server and the firewall?

Aruba Employee

Re: Internet block

From Controller enable mode (i.e. # mode); give the following command.

 

show user-table | include 192.168.101.133

 

The 4th value is the user-role of the user.

 

 

Then do a show rights <user-role>

 

Example ::

 

# show user-table | include 10.240.212.13 


Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
10.240.212.13 11:1b:a9:1b:7f:3c BSD\MdSray wireless_access_restrict_dhcp 05:06:40 802.1x 00:0b:86:82:70:36 Wireless AGJNTO100/6c:f3:7f:cb:e4:40/g-HT wireless_restrict_dhcp tunnel Win 7

 

 

# show rights wireless_access_restrict_dhcp 

Thank you,

Regards,

Vijay Rajasimhan | Principal Network Engineer
Customer Advocacy | Aruba Networks

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Aruba Employee

Re: Internet block


smedwetz wrote:

DNS and Firewall are both on same network.  Do I need to allow the IP's of the DN server and the firewall?


Hi smedwetz

 

Please do let us know your requirement / what you are trying to achieve.

 

-vijay

Thank you,

Regards,

Vijay Rajasimhan | Principal Network Engineer
Customer Advocacy | Aruba Networks

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Occasional Contributor II

Re: Internet block

I want to allow these servers.

192.168.100.2

192.168.102.105

I want to block all other devices on that subnet 192.168.0.0 255.255.0.0

I want to allow all internet access

 

Firewall and DNS are both 192.168.100.4

Aruba Employee

Re: Internet block

Would 192.168.100.4 be the DNS server for the user or will it be some other user?

Thank you,

Regards,

Vijay Rajasimhan | Principal Network Engineer
Customer Advocacy | Aruba Networks

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: