Wireless Access

Reply
Regular Contributor I

How to protect the public-ip from unauthorized access - firewall policy

Hi, 

 

I have a setup like below. There will be some RAP units connecting from the outside to the controller.

 

-----private-net(vlan-2)-----Controller---Public-net---

 

I notice some ssh access attempted on the public interface of the controller. I want to protect the public-ip from mgmt access. 

 

I was trying to configure a policy that allow only the RAP's to connect on the public-ip and rest be droped. But still the vlan-2 traffic be "ip nat inside" and go to the internet.

 

I am confused on the Firewall policy configuration, how in, out and session works. I cannot untrust the public interface port. 

 

policy.JPG

 

 

Guru Elite

Re: How to protect the public-ip from unauthorized access - firewall policy

Simply create a session-based ACL allowing the inbound traffic you want and apply it to the outside interface. See the post below :

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Dedicated-VIA-VPN-RAP-controller-ACL-on-its-public-interface/m-p/202917

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: How to protect the public-ip from unauthorized access - firewall policy

Hi 

 

literally the firewall policy "in" is incoming traffic, and "out" is outgoing traffic. 

 

session, its applied both way.. 

 

The port need not be untrusted, right? inorder for this applied policy to take effect...

Guru Elite

Re: How to protect the public-ip from unauthorized access - firewall policy

Yes, session handles established connections. You don't need to make the port untrusted. Just apply the ACL to the port.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: