04-11-2012 08:49 AM
I have a customer with an internet routable ip address straight into the Aruba controller that they use for VIA and RAP access.
This particular client is a credit union and they are concerned about the Aruba PEF and possibility of someone gaining access to their financial network through this connection.
So here come the obvious questions...
- By default what ports will the controller respond to?
- What is the best way to limit or lock down unneeded ports?
In the past I've done this by creating and then assigning a firewall policy in Configuation> Network> Port session settings. Would this be the correct way to do this?
Like I stated earlier, they are financial institution and I want to make sure I had best practices for limiting access in place and all my bases covered .
Any input greatly appreciated.
Solved! Go to Solution.
04-11-2012 12:39 PM
Yeah, you have the right idea. Ideally, with a setup like that, you would have an inside facing interface and an internet facing interface. You can create an extended ACL for just the ports you need and attach it to the internet facing interface and specify the inbound direction.
RAP only needs NAT-T, which is UDP 4500. You should check on VIA though as I'm not terribly familiar with that. It's probably NAT-T and HTTPS, or just one or the other. My example below just shows NAT-T.
ip access-list extended internet-in
permit udp any host <controller outside ip address> eq 4500
interface gigabitethernet 0/1
description "Connection to Internet"
ip access-group "internet-in" in
trusted vlan 1-4094