Wireless Access

Reply
Frequent Contributor II
Posts: 159
Registered: ‎12-06-2010

Port-Forwarding for External Access to Internal Devices

I have a new project to deploy a 620 at a remote site which will act as a local controller. The 620 will terminate the internet connection which has 4 static IP's. I've been asked to allow external contractors access to several internal devices. I'm thinking we could use a port-forwarding configuration on one of the static IP's. Does anyone have experiencing with configuring this on an Aruba controller? I wasn't able to find anything addressing this in the VRD's or User Guide. Thanks in advance.

Network Engineer | Airhead | Titus 3:5
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Port-Forwarding for External Access to Internal Devices

Pretty straight forward (but as you said... not documented):

 

Setup an ACL (the one below will allow ssh, tcp/80 and everything else, as an example):

 

ip access-list session inbound_access
  any any svc-dhcp  permit
  any host <external IP> svc-ssh dst-nat ip <internal IP>
  any host <external IP> tcp 80 dst-nat ip <internal IP>

  any host <external IP> any dst-nat ip <internal IP>

 

Apply that ACL to your inbound port on the controller:

 

interface gigabit 1/0

ip access-group inbound_access session

 

Make sure your inside port is NATing:

 

interface gigabit 1/1

ip nat inside

 

 

That should be it. 

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Port-Forwarding for External Access to Internal Devices

If you want to be more secure, you could provide the VIA client to your contractors and configure it so that they were only able to access the appropriate resources.  That way, there would not be an open hole into your network from the Internet.

 

I have the port forwarding up and running and see several hundred denied login attempts per day.  If you do open the holes, make sure your resources are secured properly on the ports/protocols you allow inbound.

Frequent Contributor II
Posts: 159
Registered: ‎12-06-2010

Re: Port-Forwarding for External Access to Internal Devices

Thanks, guys. This is very helpful. I think were going to just provide VPN access to these users and lock their role down appropriately.

Network Engineer | Airhead | Titus 3:5
Search Airheads
Showing results for 
Search instead for 
Did you mean: