04-02-2017 10:55 AM
i have a new situation wehre i need to nat all client traffic to the internet and i got no firewall at this site. So i put the vlan to the provider on untrusted. The problem is that all traffic on the way back to the clients gets blocked (logon role). My thinking was that the pefng opens (stateful) the way back to the clients. What is here the preferred way to get the client access to the internet and block access to my infrastructue (if i trust the provider). How should be the acl look like on the vlan ? f.E. 192.168.100.0/24 is my client network and .254 is the gateway and lets say i got one 126.96.36.199 on the provider side (outside NAT address). Iam not sure if i block all traffic to the 222... the clients get traffic back. So currently i would block ssh and https on the 222. but isn't there a standard acl already for that situation with pefng lic ? and why is the back traffic not allows with untrusted ?
Thanks in advance !
04-02-2017 11:55 AM
Please see the article here: http://community.arubanetworks.com/t5/Command-of-t
You do not need to have the provider (public ip address) VLAN as untrusted. If you are sending wired traffic to the internet, that is the VLAN that you would need to be untrusted.
On the ethernet uplink to the provider, there is an ACL to allow DHCP, but ONLY if you get your public address directly from the provider as DHCP. If that ip address is static, you can just put that ip address on a separate VLAN interface, assign that VLAN to the uplink interface and make sure that the default gateway of the controller points to the next hop of the provider. You would then have a "deny all" ACL, instead of one that allows DHCP assigned to that uplink interface.
In the user role for your clients, you can go ahead and block any traffic to 188.8.131.52, because they do not need to access it.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base