08-14-2013 08:09 AM
I have a strange problem. I have a RAP, which is working perfectly. The RAP is situated at my home office, behind a Cisco router with one public IP address. The controller is situated at the corporate office. The controller is broadcasting a simple WPA2 PSK SSID at the corporate network in tunneled mode and the SSID is terminated on a local corporate network.
I can connect to the corporate SSID when I am at the office and I can browse internal resources and the internet without any problems. I have a NAS at my home office, which is available at the internet via a NAT mapping on the Cisco. I can access this NAS from everywhere on the public IP address of my home office, except when I am at the corporate office.
I did a Wireshark on the corporate firewall and when I try to access my home public IP via ssh, http, https or what ever, the traffic isn't coming in or going out through the corporate firewall. It looks like the traffic is blocked or discarded or routed somewhere else by the wireless controller, but I cannot find where.
To be sure that the problem isn't the firewall at the corporate office, I configured a stand-alone Cisco AP with the same SSID and PSK in the same corporate VLAN. I can access my home network when I connect to the Cisco AP. So I am almost 100% sure that the problem is caused by the Aruba controller.
Is anyone familiar with this problem or is this by design for public IP addresses of a RAP?
Solved! Go to Solution.
08-14-2013 08:32 AM - edited 08-14-2013 08:36 AM
I still try to understand, What is the RAP at your home got anything to do ... :smileysurprised:
or I haven't understand u right.
U have RAP at your Home office.
When u are in your corp. officee (outside your home) - you are unable to contact you home ip in any method.... Via Aruba Ap's-controller.
That what u mean?
- Can u check what userrole are u getting and what it's allowing to u? When u connected to Aruba AP at your office?
- First find yourself in the client list - check what userrole did u got.
- then go to the access control roles and check what open ports / services does the it allowing to u. (please screenshot and paste it to your next post)
If u are trying to connect via your RAP to your local home resucroes,
u might wanna try to configure the ap-system profile of this rap unit:
- with a good session - acl that will fit ur needs
- or add the v to the remote-ap local network access
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
08-14-2013 09:01 AM - edited 08-14-2013 09:04 AM
If I hear you right:
Your NAS at home is 220.127.116.11 for example. When your RAP connects to the controller, it too comes in appearing as 18.104.22.168. When you are a wireless user at the office, you cannot access the NAS at 22.214.171.124. I presume the controller sees your incoming request to route traffic to 126.96.36.199. It knows it has a RAP terminated on it from that IP. All traffic the controller will try to send through the IPsec tunnel of the RAP; thus the request to the NAS does not make it.
To confirm, have you tried to access the NAS at 188.8.131.52 from the wired network at the office? Or take the RAP offline and see if you can access it. If so, I think you are out of luck trying to reach that IP through wireless due to the routing of the controller of that public IP when the RAP is connected.
You could do series of things to try and workaround this; including setting up some routes to your internal home network through the RAP and allow corporate users to route the NAS requests through the RAP rather than over the Internet.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
08-14-2013 09:21 AM
I looked at the user role and the user gets the authenticated role from the controller. So the user has all access to all resources. The RAP is in the picture, because the RAP is connected to the controller with the same public IP address. It looks like you cannot connect to public IP address from which the RAP is terminating a VPN session.
08-14-2013 09:24 AM
@clembo: I think you are absolutely right. I can access my NAS when I have a wired connection at the corporate office or (like I tested) when I connect through a standalone Cisco AP.
It definitely looks like the controller is sending all traffic through the VPN tunnel and not only udp/4500 traffic. I will try some options and configurations to see if I can route my public network through the VPN tunnel.
08-16-2013 02:41 AM - edited 08-16-2013 02:41 AM
I upgraded the controller from 6.2 to the early deployment of 6.3. It looks like this version solves the problem, because I can now access my NAS en router on the public IP without any problems.