Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎03-14-2013

Aruba 3400 - allow IPSec through

I'm new to Aruba, and i've found that on our guest network, IPSec VPNs are being blocked by the controller...I need some guidance on how to allow IPSec out to allow people on our guest network access to their home company's resources. 

 

Controller is Aruba 3400, software version is 6.1.3.4.  Outside internet is terminated by a Cisco ASA and firewall services are handled by the ASA (tested VPN directly out through ASA via wired LAN and it works perfectly).

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
MVP
Posts: 4,006
Registered: ‎07-20-2011

Re: Aruba 3400 - allow IPSec through

 

Is it allowed under the guest user-role?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎03-14-2013

Re: Aruba 3400 - allow IPSec through

I don't mean to sound like an idiot, but I'm going to anyway...where exactly should I be looking for the 'guest user role'?

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
MVP
Posts: 4,006
Registered: ‎07-20-2011

Re: Aruba 3400 - allow IPSec through

[ Edited ]

 

 

Aruba allows you to apply policies to the users using user-role , each user-role has ACLs define.

 

If you do show rights it would allow to see all your user-roles but if you want to see what role a certain user is getting then you can do a show user-table  | include <mac address> or <ip-address> and then this command would allow you to see what's the user-role a particular user is tie too.

 

Users
-----
IP                          MAC                                   Name                              Role                          Age(d:h:m) Auth              AP name 

 

10.10.30.209    00:11:22:33:44:55  testuser@gmail.com          GUEST-ROLE              00:01:23    Web               AP-TEST

 

 

And you can get the specifics of how that user-role is configured by using the show rights GUEST-ROLE

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎03-14-2013

Re: Aruba 3400 - allow IPSec through

great stuff.  thanks.  I'm noticing on one of our other controllers that's been up for a while that there's an 'allow all' at the end of the guest policy...i'm guessing that's what needs added to allow the VPN traffic, but at the same time, I want to make sure that i'm not allowing my guest subnet to cross over into my corporate network. 

 

what's the best way to allow IPSec on the guest network and still maintain the integrity of my corporate wireless?

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
MVP
Posts: 4,006
Registered: ‎07-20-2011

Re: Aruba 3400 - allow IPSec through

 

Create an access list allowing the ports needed for VPN and applied it to the user-role

 

 

ip access-list session GUEST-VPN-ACL

any any svc-ike 
any any svc-esp 
any any svc-l2tp 
any any svc-pptp 
any any svc-gre 
user any svc-natt

 

You can configure it this way if you are nating under the VLAN ,if not you have to apply your source nating for each rule

 

 

user-role GUEST-ROLE

access-list session GUEST-VPN-ACL position "based on how you have your ACL configured"

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 18
Registered: ‎03-14-2013

Re: Aruba 3400 - allow IPSec through

Great stuff.  Appreciate the help!

Scott A. Jones, CCVP
Network Architect
Orrick, Herrington and Sutcliffe LLP
Search Airheads
Showing results for 
Search instead for 
Did you mean: