Wireless Access

DNe · ‎04-02-2017

Hi guys,

i have a new situation wehre i need to nat all client traffic to the internet and i got no firewall at this site. So i put the vlan to the provider on untrusted. The problem is that all traffic on the way back to the clients gets blocked (logon role). My thinking was that the pefng opens (stateful) the way back to the clients. What is here the preferred way to get the client access to the internet and block access to my infrastructue (if i trust the provider). How should be the acl look like on the vlan ? f.E. 192.168.100.0/24 is my client network and .254 is the gateway and lets say i got one 222.222.222.222 on the provider side (outside NAT address). Iam not sure if i block all traffic to the 222... the clients get traffic back. So currently i would block ssh and https on the 222. but isn't there a standard acl already for that situation with pefng lic ? and why is the back traffic not allows with untrusted ?

Thanks in advance !

ACMP

cjoseph · ‎04-02-2017

Please see the article here: http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/m-p/951

You do not need to have the provider (public ip address) VLAN as untrusted. If you are sending wired traffic to the internet, that is the VLAN that you would need to be untrusted.

On the ethernet uplink to the provider, there is an ACL to allow DHCP, but ONLY if you get your public address directly from the provider as DHCP. If that ip address is static, you can just put that ip address on a separate VLAN interface, assign that VLAN to the uplink interface and make sure that the default gateway of the controller points to the next hop of the provider. You would then have a "deny all" ACL, instead of one that allows DHCP assigned to that uplink interface.

In the user role for your clients, you can go ahead and block any traffic to 222.222.222.222, because they do not need to access it.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Be in the know.

Join, Learn, Share.

How can we help?

Essential Reading.

Wireless Access

NAT with untrusted internet

NAT with untrusted internet

Re: NAT with untrusted internet

Re: NAT with untrusted internet

Itunes Sharring

AP Management lockdown

Securing Computers in the Logon Role

invalid mac's

MSR Visio Stencils

Remote AP Split Tunneling

Aruba Deployment with Firewalls

Remote AP

ISO 24730 Standard

ap uptime

WPA-PSK and VLAN assignment via MAC address

Cisco ACS and Aruba Radius Auth

ICMP Type and Code Filtering

Remove wireless profiles on Windows XP machines

Rolling out 802.1x with GTC

Aruba Access Point 80 SB/MB Download

Aruba Instant Downloads

Beta Downloads

Aruba Instant 6.4.2.6-4.1.1.10 Released 9/28/15

Re: ClearPass 6.5.0 CP-SW-EVAL

Remote AP Networks

Indoor 802.11n Site Survey and Planning

Base Designs Lab Setup for Validated Reference Design

Optimizing Aruba WLANs for Roaming Devices

Campus Redundancy Model

Wireless Access

NAT with untrusted internet

NAT with untrusted internet

Re: NAT with untrusted internet

Re: NAT with untrusted internet

Follow Us