Wireless Access

Reply
DNe
Contributor II

NAT with untrusted internet

Hi guys,

 

i have a new situation wehre i need to nat all client traffic to the internet and i got no firewall at this site. So i put the vlan to the provider on untrusted. The problem is that all traffic on the way back to the clients gets blocked (logon role). My thinking was that the pefng opens (stateful) the way back to the clients. What is here the preferred way to get the client access to the internet and block access to my infrastructue (if i trust the provider). How should be the acl look like on the vlan ? f.E. 192.168.100.0/24 is my client network and .254 is the gateway and lets say i got one 222.222.222.222 on the provider side (outside NAT address). Iam not sure if i block all traffic to the 222... the clients get traffic back. So currently i would block ssh and https on the 222. but isn't there a standard acl already for that situation with pefng lic ? and why is the back traffic not allows with untrusted ?

 

Thanks in advance !

ACMP
Guru Elite

Re: NAT with untrusted internet

Please see the article here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/m-p/951

 

You do not need to have the provider (public ip address) VLAN as untrusted.  If you are sending wired traffic to the internet, that is the VLAN that you would need to be untrusted.

 

On the ethernet uplink to the provider, there is an ACL to allow DHCP, but ONLY if you get your public address directly from the provider as DHCP.  If that ip address is static, you can just put that ip address on a separate VLAN interface, assign that VLAN to the uplink interface and make sure that the default gateway of the controller points to the next hop of the provider.  You would then have a "deny all" ACL, instead of one that allows DHCP assigned to that uplink interface.

 

In the user role for your clients, you can go ahead and block any traffic to 222.222.222.222, because they do not need to access it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: