Remote Networking

Reply
JYL
Occasional Contributor II

VIA: what port needed to allow on firewall for VIA?

does anybody implemented VIA on their network? what firewall rule needed to make the VIA works?

I tried this in my lab but allowing only udp 4500 doesnt work unless my config is wrong. I've use the same ACL in my lab to provision and test all my 30 RAP5WN they are all working fine. but when I tried to configure the VIA it wont connect if I remove the ACL and allow everything VIA works fine.

cisco router:(the IP is my two controller and they are bogus number)
ip access-list extended SVN-RULE-OUT
permit udp any eq 4500 host 161.91.71.130 eq 4500
permit udp any eq 4500 host 161.91.81.130 eq 4500
ip access-list extended SVN-RULE-IN
permit udp host 161.91.71.130 eq 4500 any eq 4500
permit udp host 161.91.81.130 eq 4500 any eq 4500

can anybody share your firewall config for allowing the VBN from untrusted to trusted. either ASA, juniper or cisco firewall.

I tried calling Aruba and one guy are telling me I need to add udp 500 etc. which contradict with the diagram on Aruba website to only allow NAT-T.

thanks in advance for sharing
JYL
Occasional Contributor II

Ports needed for VIA

Also allow TCP port 443 (HTTPS).
JYL
Occasional Contributor II

Re: VIA: what port needed to allow on firewall for VIA?

so how you will allow it source from the outside?

so its something like this: keep in mind the tcp is three-way handshake

ACL-IN
permit tcp any gt1023 host 161.91.81.130 eq 443
ACL-OUT
Permit tcp host 161.91.81.130 eq 443 any gt 1023 established

Aruba Website shows NAT-T only do you think they made a mistake on this. also they state it will check the IPSec then fall back to SSL which encapsulate the IPSec. what you guys thought on that statement?

http://arubanetworks.com/products/virtual_branch_networks/virtual_intranet_agent.php

Again thanks for your response
JYL
Aruba Employee

Re: VIA: what port needed to allow on firewall for VIA?



Aruba Website shows NAT-T only do you think they made a mistake on this. also they state it will check the IPSec then fall back to SSL which encapsulate the IPSec. what you guys thought on that statement?

http://arubanetworks.com/products/virtual_branch_networks/virtual_intranet_agent.php




In normal operation if NAT-T (udp/4500) is allowed, tcp/443 is used for connectivity test only. However, tcp/443 on the VIA controller allows the end user to:
- Download the VIA client software
- Download the latest connection profile (if the user happens to clear the profile, or need to connect to a different organization.

Also, it can be used for SSL fallback if nat-t (udp/4500) is blocked.

The current (5.0) documentation failed to mention the requirement to open tcp/443 from the Internet. This will be corrected in the 6.0 user guide. Also, the requirement for tcp/443 might be dropped in future VIA release. But stay tuned for that.
Frequent Contributor I

Re: VIA: what port needed to allow on firewall for VIA?

Great info :)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: