Wireless Access

Reply
Regular Contributor I

Need help with a firewall rule to protect internal network on guest wlan

Such a simple rule, or so I thought...

 

I have a "route to esi" redirect which pushes guest traffic towards a UTM in the dmz.

 

Im trying to block access to all internal LANs, and the DMZ apart from the interface for the UTM.  As the route to esi rule has a destination of ANY, I cant quite figure out the rules I need before which protects the internal LAN and allows everythig else out.

 

Unfortuanltey I cant do a "block network apart from one address", or even specify a range... 

 

Im probably just thinking about it the wrong way.. so would appreciate any help.

 

 

Aruba

Re: Need help with a firewall rule to protect internal network on guest wlan

Typical guest networks block access to all RFC1918 address space (assuming your internal network uses it); other networks can be added as well as needed.   The easiest way to accomplish this is to setup a netdestination for all those ranges, then set a policy to deny access to them.  For example:

 

netdestination internal-networks

  network 10.0.0.0 255.0.0.0

  network 192.168.0.0 255.255.0.0

  network 172.16.0.0 255.240.0.0

  <Add any others you want>

 

Then within the policy of your choice; above your ESI redirect rule add the following. 

 

user alias internal-networks any deny

 

You may have to add an entry for the UTM; if you do, then add the following ahead of the deny rule (depending on what you are redirecting).

 

user host x.x.x.x svc-http permit

user host x.x.x.x svc-https permit

 

 

You can also use a similar netdestination option:

netdestination utm-appliance

  host x.x.x.x

 

user alias utm-appliance svc-http permit

user alias utm-appliance svc-https permit

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Regular Contributor I

Re: Need help with a firewall rule to protect internal network on guest wlan

Thanks for your comprehensive answer.. but reading through your code, I belive I would still see the prblem...

 

user host 192.168.0.1 svc-http permit

user host 192.168.0.1 svc-https permit

user alias internal-networks any deny

ESI rule

 

The UTM address is 192.168.0.1, so I need to allow this single destination while blocking the rest of the subnet. 

 

 

Re: Need help with a firewall rule to protect internal network on guest wlan

Rules are read top-down, therefore if someone was accessing the UTM, they would be allowed because it is before the deny rule, any other IP outside of 192.168.0.1 would be denied
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Regular Contributor I

Re: Need help with a firewall rule to protect internal network on guest wlan

But the ESI rule is after the block rule, so as as the host is within the network being blocked, it wouldnt work.

 

If I put the ESI rule before the block, the block wouldnt do anything as the ESI is for any destiantion.

Re: Need help with a firewall rule to protect internal network on guest wlan

Sorry misread your post, just noticed the ESI rule.
Can you post what your ESI rule looks like?

user host 192.168.0.1 svc-http permit

user host 192.168.0.1 svc-https permit

ESI rule modified to contain an implicit deny to internal networks, then allow all ?

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Regular Contributor I

Re: Need help with a firewall rule to protect internal network on guest wlan

alias guest-network any any redirect esi-group "guest-group" direction forward

 

The problem is the fact that Im trying to block all other access to the subnet that the interface of the UTM is in.

Re: Need help with a firewall rule to protect internal network on guest wlan

Reading your original post once more, why would you want to access UTM interface from the guest network?

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Regular Contributor I

Re: Need help with a firewall rule to protect internal network on guest wlan

The UTM is in our dmz.. the guest network is on an internal network, and we are using route to esi to redirect traffic.  We have 2 internet gateways, by default, all corp traffic routes to another UTM, so we needed a way to redirct guest traffic without the use of poroxy servers...

Aruba

Re: Need help with a firewall rule to protect internal network on guest wlan


$k3l3t0r wrote:

Thanks for your comprehensive answer.. but reading through your code, I belive I would still see the prblem...

 

user host 192.168.0.1 svc-http permit

user host 192.168.0.1 svc-https permit

user alias internal-networks any deny

ESI rule

                   

The UTM address is 192.168.0.1, so I need to allow this single destination while blocking the rest of the subnet.  

Is the above not working?   It is allowing http and https to 192.168.0.1 (your UTM).  It then blocks all other internal networks.  Followed by your ESI rule.  

 

You could also consider doing in "invert" on a netdestination.....so essentially excludes the entry.  For example,

 

netdestination "all-except-UTM"
 invert
 host 192.168.0.1
 
Then use a rule like the following to redirect all traffic accept to 192.168.0.1 to the esi-group you have defined.
                   

alias guest-network alias all-except-UTM any redirect esi-group "guest-group" direction forward

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: