Hello,
my aruba controller is connected to the MZ and directly reachable from the internet.
We DNAT connections to the controller IPs to a internal system, but all other connections we want to block.
ip access-list session ExtInterface_ACL
host x.x.x.x host x.x.x tcp 443 dst-nat ip x.x.x.x
any any any deny log
!
DNAT is working. If I observe the security log I can see other external systems "probing" TCP Ports and theese packets get blocked as expected.
But if I try to establish a connection via ssh to the IP Adress of this Interface I get a login promt.
#show acl hits
Port Based Session ACL
----------------------
Policy Src Dst Service/Application Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
------ --- --- ------------------- ------ ----------- -------- ---------- ----- ---------
validuser any any any permit 5 55 53 ipv4
ExtInterface_ACL any controller any deny 12 12 1591 ipv4
ExtInterface_ACL any any any deny 10 10 1592 ipv4
I guess this is related to the validuser ACL?
If yes: There are no valid users behind this interface. How can I disable this ACL for this interface?
If not: Please tell where to search for a solution.
Thanks in advance!