ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Captive Port Internal DMZ Issue

I have setup a captive port config for guest access and it works great but we are unable to hit our internal web servers. I have tried assigning external dns servers so we would get the public ip address our internal network rule that blocks access to the internal network was causing it. Has anyone had this issue or can give me some ideas.

Thanks
Ed
Guru Elite
Posts: 19,960
Registered: ‎03-29-2007

Web Servers

If the firewall that is allowing your guest users to go out is the same firewall that you use to do the translation for the public addresses to internal addresses, you probably cannot do this. If you have the users do DNS resolution to your internal DNS servers this will help. Most people deny any guest traffic to internal destinations in the user role. You will have to place a rule(s) before that deny to allow users to reach those internal web servers.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 54
Registered: ‎06-19-2009

Captive Port internal DMZ issue

Hi, we had something our dmz and default gateway use the same firewall device.

The capitve portal users only had access to external dns, there for would use the firewall server that was also acting as a nat device for (ext->int) services.

This is called 'hair pinning ' where the client had to be redirected from the firewall's internal interface back into the internal network.

We were using a cisco asa firewall device. The problem was fixed using rules that would allow for the above. But every service needed a complement rule. We finally
changed our captive portal to a different dmz (ext ip).

jason
Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Captive Port internal DMZ issue

I rearranged the controller firewall rules and it was all better:


  • cplogout
  • Guest-Logon-Access (access list for what services are allowed before login)
  • Guest-Access (access list for what services are allowed after login)
  • Block Internal Networks (internal network list)
  • DMZ (our dmz server list)
  • Drop-and-Log
cplogout

Thanks!
Ed
Search Airheads
Showing results for 
Search instead for 
Did you mean: