Wireless Access

We have a simple Instant AP setup with a handful of VLANS and SSIDS.

VLAN279 - Servers - 10.245.279.0/24 GW 10.245.279.1

VLAN280 - Wireless Access Points - 10.245.280.0/24 GW 10.245.280.1
VLAN281 - Wireless Clients Interal - 10.245.281.0/24 GW 10.245.281.1
VLAN282 - Guest Wireless Clients - 10.245.282.0/24 GW 10.245.282.1

INTERNAL SSID - No network restrictions.  Internal DNS

GUEST SSID - Internet access unrestricted, no access to VLAN280, 281 OR 279 with the exception of DHCP from 279.  Google DNS.
Our mail server is 10.245.279.190 so two questions :
1) How do I allow the guest traffic access to only 443 on a single host from the Guest SSID?

2) How do I resolve DNS for mail.mycompany.com to tell traffic to use internal IP instead of external IP?

Hi,

Here's some instructions regarding how to add an access rule on your instants.

Regarding resolving your internal mail server IP, this is more difficult. There are a couple of options I can think of.

1. Allow guest access to your mail server via its external IP. E.g. route out then back in. 
2. Configure new guest DNS servers in your DMZ and add your internal mail server DNS entry.

Oooh, another option would be to destination NAT the traffic destined for your mail server external IP to the mail server internal IP.

Destination NAT on Aruba Instant.

And this seems more logical to me because there certainly isn't any other device on our internal network to which the guest network will be granted access.  443 on one IP and that's it.

Thanks so much for the help --- going to try and roll this out today.

No worries. Let us know how you get on.

Cheers

James

Blamo - simple as can be.  

Added an Access Rule for Destination NAT, NAT'ed public IP to private IP on 443 only, rule below it blocking all access to that subnet.

Worked like a charm.  Thanks again.