Controller Based WLANs

Configure a controller port connected directly to the internet

Aruba Employee

Introduction :

 

 



The Remote AP deployments are generally behind the network firewall where they NAT/PAT UDP 4500 over to the controller address on the internal network.
 

If we have an Internet port connected directly to the controller, the port ACL would be

any controller-ip UDP-4500 allow

The user traffic going back out will be allowed to have a return path by the user role’s firewall policy, it will not be blocked by the implicit deny all you mention above.

vlan 10 OUTSIDE-INTERNET
!
ip access-list session OUTSIDE-INTERNET
   any any svc-dhcp permit                       (required for DHCP)
   any any tcp 22 permit                         (use this to allow SSH to controller)
   any any tcp 4343 permit                       (use this to allow SSL/WebUI to controller)
   any any tcp 80 dst-nat ip 192.168.168.100     (use the following to host multiple web servers - this one is NAT only, no  PAT)
   any any tcp 81 dst-nat ip 192.168.168.101 80  (this one is port 81 incoming then NAT and PAT to port 80)
   any any tcp 82 dst-nat ip 192.168.168.102 80  (this one is port 82 incoming then NAT and PAT to port 80)
   any any tcp 83 dst-nat ip 192.168.168.103 80  (this one is port 83 incoming then NAT and PAT to port 80)
   any any tcp 37777 dst-nat ip 192.168.168.99   
   any any any deny log
!
interface fastethernet 1/0
   description OUTSIDE-INTERNET
   trusted
   ip access-group OUTSIDE-INTERNET session
   switchport access vlan 10

 

Version history
Revision #:
1 of 1
Last update:
‎11-09-2014 10:59 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.