Wireless Access

Reply
paw
Contributor I
Posts: 34
Registered: ‎09-13-2011

Interface Session ACL

Hello,

 

my aruba controller is connected to the MZ and directly reachable from the internet.

 

We DNAT connections to the controller IPs to a internal system, but all other connections we want to block.

 

ip access-list session ExtInterface_ACL
  host x.x.x.x host x.x.x tcp 443  dst-nat ip x.x.x.x
  any any any  deny log
!

DNAT is working. If I observe the security log I can see other external systems "probing" TCP Ports and theese packets get blocked as expected.

 

But if I try to establish a connection via ssh to the IP Adress of this Interface I get a login promt.

 

#show acl hits

Port Based Session ACL
----------------------
Policy                   Src   Dst         Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------                   ---   ---         -------------------  ------  -----------  --------  ----------  -----  ---------
validuser                any   any         any                  permit               5         55          53     ipv4
ExtInterface_ACL  any   controller  any                  deny                 12        12          1591   ipv4
ExtInterface_ACL  any   any         any                  deny                 10        10          1592   ipv4

I guess this is related to the validuser ACL?

 

If yes: There are no valid users behind this interface. How can I disable this ACL for this interface?

If not: Please tell where to search for a solution.

 

Thanks in advance!

 

paw
Contributor I
Posts: 34
Registered: ‎09-13-2011

Re: Interface Session ACL

I forgot one thing. If I want to make this port untrusted, I get the following message:

 

Illegal Operation: Cannot make the port untrusted. 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: