Wireless Access

Reply
Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Firewall Policy for RAP-Spit Tunnel Forward Mode

Right now I have setup a remote network with split-tunnel and working good.

Client can get DHCP from HQ, authenticated to Amigopod (HQ) and then browse internet from their local site.

 

But our client wants to do some webfiltering for their guest on remote site, and only allow their Corporate Website.

 

 

I have tried to add these config on our guest-authenticated-role :

 

netdestination Agent-Sites-Invert
invert
name website.number1.com

name website.number2.com

 

netdestination Agent-Sites

name website.number1.com

name website.number2.com

 

-------

 

ip access-list session Agent-Web-01
any alias Agent-Sites-Invert svc-http deny
any alias Agent-Sites-Invert svc-https deny
any any any route src-nat

 

user-role guest
access-list session cplogout
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session LocalNetworks
access-list session Agent-Web-01

 

-- or -- 

 

ip access-list session Agent-Web-02
any alias Agent-Sites any allow
 

user-role guest
access-list session cplogout
access-list session dhcp-acl
access-list session icmp-acl
access-list session dns-acl
access-list session LocalNetworks
access-list session Agent-Web-02

 

--------

 

but none of them seems working.

Any ideas ? 

 

 

Thanks

 

Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Sorry i forgot to mention, the controller is 3000 series...

Sorry i forgot to mention, the controller is 3000 series OS 6.1.3.4 and access point is 105.

 

Thanks

 

Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: Sorry i forgot to mention, the controller is 3000 series...

Did you define a DNS name server and a domain on the controller https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-264

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

Hi cjoseph, 

Yes, I have configured the IP NAME SERVER and DOMAIN LOOKUP.

Our guest are using captive portal and they are already redirected to landing page as soon as they browse the internet/websites.

 

I also rechecked our setup as you suggest, and everything works fine.

 

 

 

 

 

Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

Let's take a step back:

 

- Where is this web filter located?  It must be inline to the guest traffic, have the guests set a proxy that points to the web filter or use a cloud-based solution that can filter guest client traffic from a RAP, otherwise this will not work.

 

Exactly how does the user want this to function and what is the big picture?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

The webfilter-policy actualy from HQ controller, not on some device inline with the rap or guest traffic,

There are no proxy nor cloud-base solutions for this setup.

 

Our clients thought that there might be some way to push the filtering to the RAP on the remote location, is it possible ? 

This setup is intended for remote guest, and our client wants to open only a few website accessible for them.

 

Thanks.

 

Guru Elite
Posts: 21,588
Registered: ‎03-29-2007

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

Okay.  Would it be fair enough to start with ip address filtering?  I don't think that the RAP can reverse lookup a URL and allow/block like the controller can...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

Thanks for the headsup cjoseph,

I will try it next year..(2 more days),,  and post the result.

 

Happy New Year ..! 

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

[ Edited ]

Why you just dont do tunnel mode and on the corporate site do that?

I dont see the use of split tunneling if you doing that... i mean you just allowing to their Corporate Website

 

 

 

If the guest network just got a vlan that only exist on the controller and is natting well you will have to apply the webfilter to that ip, and well this will work... you dont need to do anything on the controller actually.

 

It would be nice if you could tell us why you need to put it on split tunneling if you just allowing only their Corporate Website.  They actually not alllowing internet it seems just a few websites that the coroporate owns?

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Re: Firewall Policy for RAP-Spit Tunnel Forward Mode

Hi Nightshade,

Our remote sites are using their on ISPs. there are no MPLS / VPN connection from there to HQ.

 

We provide wireless network for our free-lance agent across the country. They need access to our corporate website (but still accessed from the Public IPs) to input queries, seek information, etc.

 

Thats why we need to filtered the access.

 

Unfortunately I can't test the IP-Based Filtering as of today I'm still on my vacation. Will update as soon I can.

 

Thanks

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: