Wireless Access

Reply
New Contributor
Posts: 3
Registered: ‎12-13-2016

Access to internal mail server from guest network

[ Edited ]

We have a simple Instant AP setup with a handful of VLANS and SSIDS.

VLAN279 - Servers - 10.245.279.0/24 GW 10.245.279.1

VLAN280 - Wireless Access Points - 10.245.280.0/24 GW 10.245.280.1
VLAN281 - Wireless Clients Interal - 10.245.281.0/24 GW 10.245.281.1
VLAN282 - Guest Wireless Clients - 10.245.282.0/24 GW 10.245.282.1

INTERNAL SSID - No network restrictions.  Internal DNS

GUEST SSID - Internet access unrestricted, no access to VLAN280, 281 OR 279 with the exception of DHCP from 279.  Google DNS.
Our mail server is 10.245.279.190 so two questions :
1) How do I allow the guest traffic access to only 443 on a single host from the Guest SSID?

2) How do I resolve DNS for mail.mycompany.com to tell traffic to use internal IP instead of external IP?

MVP
Posts: 952
Registered: ‎04-13-2009

Re: Access to internal mail server from guest network

Hi,

 

Here's some instructions regarding how to add an access rule on your instants.

 

Regarding resolving your internal mail server IP, this is more difficult. There are a couple of options I can think of.

  1. Allow guest access to your mail server via its external IP. E.g. route out then back in. 
  2. Configure new guest DNS servers in your DMZ and add your internal mail server DNS entry.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 952
Registered: ‎04-13-2009

Re: Access to internal mail server from guest network

Oooh, another option would be to destination NAT the traffic destined for your mail server external IP to the mail server internal IP.

 

Destination NAT on Aruba Instant.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 3
Registered: ‎12-13-2016

Re: Access to internal mail server from guest network

And this seems more logical to me because there certainly isn't any other device on our internal network to which the guest network will be granted access.  443 on one IP and that's it.

 

Thanks so much for the help --- going to try and roll this out today.

MVP
Posts: 952
Registered: ‎04-13-2009

Re: Access to internal mail server from guest network

[ Edited ]

No worries. Let us know how you get on.

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor
Posts: 3
Registered: ‎12-13-2016

Re: Access to internal mail server from guest network

Blamo - simple as can be.  

Added an Access Rule for Destination NAT, NAT'ed public IP to private IP on 443 only, rule below it blocking all access to that subnet.

 

Worked like a charm.  Thanks again.

Search Airheads
Showing results for 
Search instead for 
Did you mean: