04-05-2016 07:22 AM - edited 04-05-2016 07:25 AM
I opened that thread to help other people who have a problem with WatchGuard Firewalls and Aruba Remote Accecss Points. At first we thought that we have to use the same policy sheme for publishing the wlan controller to the internet like publishing a web server to the internet (Static NAT to the internal ip address, SNAT).
That won't run. You have to use 1-to-1 NAT and your public ip address must not be set as secondary ip address on the external interface of the WatchGuard firewall. Otherwise the WatchGuard firewall will try to terminate the incoming requests of the Remote Access Point.
1. Remove the public ip address from the secondary ip list of the external interface
2. Create a 1-to-1 NAT Rule (NAT-Base: public ip, Real-Base: controller ip)
3. Create the Outgoing Firewall Rule (when needed)
FROM "controller ip" TO "ANY-External", IPSec-Policy
4. Create the Incoming Firewall Rule (needed)
FROM "ANY-External" TO "Public IP", IPSec-Policy (1-To-1 NAT will be used)
5. Be sure the Default Gateway of the Controller points to the WatchGuard
That's it. Hope somebody found it helpful.
ACMP, ACCP, Brocade Certified