Wireless Access

Reply
Frequent Contributor I
Posts: 73
Registered: ‎08-16-2011

Dedicated VIA VPN - RAP controller ACL on its public interface

Hi, 

 

We've dedicated 7220 controllers for RAPs & VIA VPN services.  

 

We brought up 2 interfaces.  One is used on an internal VLAN for management.  The other is used on a publicly accessable VLAN interface for communication to VIA Clients & RAPs.  

 

What kind of ACL can I apply on the public interface to restrict traffic to only those needed ports & protocols (udp 500, udp 4500, protocol 50) for RAPs & VIA VPN clients to work?  

 

Is creating an access-list like so the way to go? 

 

conf term
ip access-list session RAP-firewall
any any any deny
any any svc-ike permit
any any svc-natt permit
!

 

 

& then apply this to my port. 

 

conf term 
interface gig 0/0/1
ip access-group RAP-firewall 
!

 

 

Would this suffice or is there a better way? 

 

TIA, 

 

--Raf

 

 

 

 

 

 

--Raf
Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Dedicated VIA VPN - RAP controller ACL on its public interface

[ Edited ]

That is exactly the way to do it!


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 73
Registered: ‎08-16-2011

Re: Dedicated VIA VPN - RAP controller ACL on its public interface

Thanks,

 

Ended up adding ICMP for troubleshooting purposes. 

 

ip access-list session VIA-RAP-firewall
  any any svc-natt  permit 
  any any svc-https  permit 
  any any svc-icmp  permit 
  any any any  deny 
!

 

When time allows, I'll update ICMP to only allow from my organization's network. 

 

Also, since the access-list I created was a session based ACL, I needed to supply a type when applying it to the interface. 

 

(controller) #configure terminal interface gigabitethernet 0/0/1 ip access-group VIA-RAP-firewall 
% Incomplete command.

(controller) #configure terminal interface gigabitethernet 0/0/1 ip access-group VIA-RAP-firewall ?
in                      Apply access-list to interface's inbound traffic
out                     Apply access-list to interface's outbound traffic
session                 Apply session access-list to interface or Vlan

(controller) #show ip access-list VIA-RAP-firewall

ip access-list session VIA-RAP-firewall
VIA-RAP-firewall
----------------
Priority  Source  Destination  Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          svc-natt   permit                           Low                                                           4
2         any     any          svc-https  permit                           Low                                                           4
3         any     any          svc-icmp   permit                           Low                                                           4
4         any     any          any        deny                             Low                                                           4


(controller) #configure terminal interface gigabitethernet 0/0/1 ip access-group VIA-RAP-firewall session 
(controller) #

 

Thanks, 

 

 

--Raf
Search Airheads
Showing results for 
Search instead for 
Did you mean: