05-04-2012 09:43 AM
I have a new project to deploy a 620 at a remote site which will act as a local controller. The 620 will terminate the internet connection which has 4 static IP's. I've been asked to allow external contractors access to several internal devices. I'm thinking we could use a port-forwarding configuration on one of the static IP's. Does anyone have experiencing with configuring this on an Aruba controller? I wasn't able to find anything addressing this in the VRD's or User Guide. Thanks in advance.
Solved! Go to Solution.
05-04-2012 10:08 AM
Pretty straight forward (but as you said... not documented):
Setup an ACL (the one below will allow ssh, tcp/80 and everything else, as an example):
ip access-list session inbound_access
any any svc-dhcp permit
any host <external IP> svc-ssh dst-nat ip <internal IP>
any host <external IP> tcp 80 dst-nat ip <internal IP>
any host <external IP> any dst-nat ip <internal IP>
Apply that ACL to your inbound port on the controller:
interface gigabit 1/0
ip access-group inbound_access session
Make sure your inside port is NATing:
interface gigabit 1/1
ip nat inside
That should be it.
05-04-2012 10:12 AM
If you want to be more secure, you could provide the VIA client to your contractors and configure it so that they were only able to access the appropriate resources. That way, there would not be an open hole into your network from the Internet.
I have the port forwarding up and running and see several hundred denied login attempts per day. If you do open the holes, make sure your resources are secured properly on the ports/protocols you allow inbound.
05-09-2012 10:13 AM
Thanks, guys. This is very helpful. I think were going to just provide VPN access to these users and lock their role down appropriately.