Wireless Access

Greetings all,

I currently have a 620 with ArubaOS 6.1.3.11 and am trying to access a wired device on port 3.

Correct me if I'm wrong on this but it sounds like I need to do the following:

1. Set port 8 (cable modem) Firewall Policy -> session -> inbound_access
2. Setup a NAT pool for the dynamic-srcnat to destination ip of 0.0.0.0

This about right? I can attach screen shots for confirmation.

Thanks!

HI,

Are you trying to connect a Wired client to the controller and you want to enable authentication on that port ?

Please share your requirement clearly so that I can provide you step by step solution.

The wired client is attached, and works just fine. I'd like access to the wired client from the Internet. I don't think I need any authentication, just setting up port forwarding so I can gain access to it from anywhere.

So for example, let's say I want to connect to my surveillance system DVR which is at 10.1.100.199:18004. The internet address (cable modem) is 45.24.65.122. I want to give my smartphone 45.24.65.122:18004 to gain access to the surveillance DVR.

Does this help?

andrius b.,

In the instructions on how to connect your controller to a cable modem here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/m-p/951/highlight/true#M64 there is an ACL that you put on the uplink of the controller to allow DHCP from the cable modem:

ip access-list session controller-uplink-acl
any any svc-dhcp permit
any any any deny

To do what you want, on a line right before the "any any any deny", you would put the line:

any host 45.24.65.122 tcp 18004 dst-nat ip 10.1.100.199 18004

 The combined ACL would look like this:

ip access-list session controller-uplink-acl
any any svc-dhcp permit
any host 45.24.65.122 tcp 18004 dst-nat ip 10.1.100.199 18004
any any any deny

 Then you would apply the "controller-uplink-acl" ACL to the uplink to your cable modem like this:

interface gigabitethernet 1/0
ip access-group controller-uplink-acl session

 That is assuming that interface gigabitethernet 1/0 is your uplink.

Basically the destination-nat statement looks for any traffic going to the public address of 45.24.65.122 on tcp port 18004 and it rewrites it to go to 10.100.1.199 on port 18004.  For the traffic to even hit the ACL, the controller needs to have the public ip address of 45.24.65.122, otherwise it will not be processed.  In addition, the controller needs to be able to route the traffic to 10.100.1.199.  It also needs to be able to return any traffic out to the internet to respond.

Thanks very much, but is there no way to do this via the GUI (as requested earlier)? Is the only way to do this via command line?

Thank you!

yes,

you can create the ACL as a session ACL in the gui and then apply it to the interface in the gui...

Thanks very much! I figured out how to do it, and will post screen shots shortly. However, I did use "inbound_access" for session for the Gigabit, but still worked. Hopefully this is also OK.

Here's what I did - Thanks to Aruba for giving me the clues to find this in the GUI with the command line.

Part 1: Set the ACLs

Part 2: Apply the ACL "set" to the uplink port session

Part 1: Set the ACLs

1. Click the Configuration main tab
2. Click SECURITY->Access Control in left menu bar
3. Click the Policies tab
4. Click Edit on inbound_access entry
5. Apply IP rules desired

Part 2: Apply inbound_access to uplink

1. Click the Configuration main tab
2. Click NETWORK->Ports in left menu bar
3. Click on the port which is the uplink. On my 620 this is port 8.
4. Under Firewall Policy select inbound_access

I think this does it in the GUI. Notice I used inbound_access and not ap_uplink_acl but probably just as good?

Thanks for the help all.