Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How can I control the firewall settings on my 3600 controller

This thread has been viewed 0 times

  • 1.  How can I control the firewall settings on my 3600 controller

    Posted Mar 21, 2014 12:33 PM

    We use RAPs extensively here.  No issues with the remote users, I just need to be able to get access to their machines.  They connect via the Staff network and are assigned an IP in VLAN 92.  From within my corporate network I want to ping (or ideally RDP) to their machines via their RAP-assigned IP's.  I know my internal routing is correct but the traffic is being stopped at the controller.  It appears is if there is a firewall rule somewhere preventing this traffic.

     

    I'm a bit lost in the interface.  Can anyone point me in the right direction as to how to enable specific ports from my internal network to go through the controller and down to RAP-connected devices?


    #3600


  • 2.  RE: How can I control the firewall settings on my 3600 controller
    Best Answer

    EMPLOYEE
    Posted Mar 21, 2014 12:43 PM

    First, check to see if you can even ping the controller's ip address on VLAN 92.  Next you need to ensure that your employees get a role that does not block your traffic.  Firewall policies are, attached to users.  On the commandline, type "show user" to find out what role your user in VLAN 92 has.  Next, type "show rights <role>" to see what firewall policies are being applied.  When you find out the name of that role for your users, it can be edited at Configuration> Security> Access Control> User Roles.

     



  • 3.  RE: How can I control the firewall settings on my 3600 controller

    Posted Mar 21, 2014 12:52 PM

    Thank you.  I was able to see that the role is RAPWiredPhone.  In the UI I see that a number of policies are applied.  So I think I have the right role now.

     

    To be clear in what I want to accomplish:  Users on the RAP are assigned an IP in the 192.168.92.0 subnet.  I'm internal, say 10.10.50.0 subnet.  I want my machine on 10.10.50.x to be able to get to 192.168.92.x. 

     

    I have a group already defining our internal subnets and a rule at says source: any, Destination: <my subnets>, permit.  Do I need one reversed, for example source <my subnets>, destination: any?



  • 4.  RE: How can I control the firewall settings on my 3600 controller

    EMPLOYEE
    Posted Mar 21, 2014 01:16 PM

    You might have to ask your network manager or even the person who setup the RAPs if that VLAN is even routable to where you are on the 10.x.x.x subnet.  If it is not, there is nothing you can do.  If it is routable, that ACL (assuming it is not blocking anything else) should allow you to reach those devices.



  • 5.  RE: How can I control the firewall settings on my 3600 controller

    Posted Mar 21, 2014 01:54 PM

    It's definitely routable.  I'll experiment with what you gave me and see if I can get this to work.



  • 6.  RE: How can I control the firewall settings on my 3600 controller

    Posted Mar 21, 2014 03:57 PM

    Thank you for your help.  The show users was key in helping me wade through the million different policies to figure out which ones I needed to modify.  Much appreciated.