Controller Based WLANs

How-to:Configure an controller port connected directly to the Internet

Almost all RAP deployments I have done have been behind the customer’s firewall where they NAT/PAT UDP 4500 over to the controller address on their internal network.

 

If I have a Internet port connected directly to the controller, I assume the port ACL would be

any controller-ip UDP-4500 allow

That is all you need for RAP......any user traffic going back out will be allowed back in by the user role’s firewall policy, it will not be blocked by the implicit deny all you mention above.

vlan 10 OUTSIDE-INTERNET
!
ip access-list session OUTSIDE-INTERNET
   any any svc-dhcp permit                       (required for DHCP)
   any any tcp 22 permit                         (use this to allow SSH to controller)
   any any tcp 4343 permit                       (use this to allow SSL/WebUI to controller)
   any any tcp 80 dst-nat ip 192.168.168.100     (use the following to host multiple web servers - this one is NAT only, no  PAT)
   any any tcp 81 dst-nat ip 192.168.168.101 80  (this one is port 81 incoming then NAT and PAT to port 80)
   any any tcp 82 dst-nat ip 192.168.168.102 80  (this one is port 82 incoming then NAT and PAT to port 80)
   any any tcp 83 dst-nat ip 192.168.168.103 80  (this one is port 83 incoming then NAT and PAT to port 80)
   any any tcp 37777 dst-nat ip 192.168.168.99   
   any any any deny log
!
interface fastethernet 1/0
   description OUTSIDE-INTERNET
   trusted
   ip access-group OUTSIDE-INTERNET session
   switchport access vlan 10
Version History
Revision #:
1 of 1
Last update:
‎09-25-2014 12:51 PM
Updated by:
 
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.