ArubaOS and Controllers

Reply
Aruba
Posts: 1,279
Registered: ‎08-29-2007

Aruba RAP Split Tunnel and Cisco Access-List

Hi,
I have a RAP connected to a Cisco 877 router and am trying to lock the port down for security with means of an access-list, but not really working as expected.

The RAP is in split-tunnel and after I authenticate with the Guest (Captive Portal) I can't seem to get to anything and there's a load of hits on the deny statement at the bottom.

Access-list looks like this
access-list 120 permit ip any  0.0.0.31 # Controller IP
access-list 120 permit ip any host 194.72.9.34 # DNS address
access-list 120 permit ip 192.168.0.0 0.0.0.3 any # Local IP range of RAP from DHCP on Cisco
access-list 120 permit ip 10.0.0.0 0.255.255.255 any # IP Range of clients from DHCP on Controller

On the Aruba, the access-list for the role is the following


Where is it I am going wrong? Is it in the Cisco side or on the Aruba?

Thanks

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: Aruba RAP Split Tunnel and Cisco Access-List

The question is, what do you mean "protect"?

The second question is, was this working before you put the ACL on it?

The third question is, is the RAP getting a public ip address? If not, would not the device doing the firewalling (cisco 871) already protect it?

The "Session ACL" parameter normally protects a RAP by default, if it was deployed on the public internet. It is located in Configuration> Wireless> AP Configuration (edit the ap-group of the RAP). Expand AP, expand system profile. The system profile should have a "Session ACL" paramter. That session ACL parameter is by default ap-uplink-acl, which is applied to the AP's internet port and only allows DHCP, icmp and bounjour traffic into the AP:


ip access-list session ap-uplink-acl
any any udp 68 permit
any any svc-icmp permit
any host 224.0.0.251 udp 5353 permit


Long story short, you do not need the access list on the Cisco 871 router for the RAP.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 1,279
Registered: ‎08-29-2007

Re: Aruba RAP Split Tunnel and Cisco Access-List

The RAP gets the address of 192.168.0.1 from the router, and is the only address available on the scope.

What we are trying to do is prevent people in these remote locations from doing things like connect their own switch to the router and bypassing the RAP.

It works when I make the access-list

					
				
			
			
				

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: Aruba RAP Split Tunnel and Cisco Access-List

If you are doing "any any route src-nat" in the user role of the RAP, the source ip address of all user traffic coming out that RAP will be that of the access point (192.168.0.1). That is the only address that you need to permit traffic to/from.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 1,279
Registered: ‎08-29-2007

Re: Aruba RAP Split Tunnel and Cisco Access-List

but I'm permitting that address in the access-list, so not sure why it's not working.

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 20,002
Registered: ‎03-29-2007

Re: Aruba RAP Split Tunnel and Cisco Access-List

Yes,

You can permit that address, but unless that permit is stateful, you need to allow the traffic to come back in, as well.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 1,279
Registered: ‎08-29-2007

Re: Aruba RAP Split Tunnel and Cisco Access-List

The inbound list is


I got it working in the end, but for the outbound list I had to permit the external ip of the router as well as the RAP ip.

access-list 120 permit ip host 192.168.0.2 any
accesslist 120 permit ip host any

Doesn't quite make sense, but hey it works :)

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: