Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

question about firewall policy (tcp 445 and tcp 139)

This thread has been viewed 2 times

  • 1.  question about firewall policy (tcp 445 and tcp 139)

    Posted Nov 04, 2013 04:04 PM

    I have a Windows wireless client that needs to connect to a Windows share on a remote server via \\servername. The remote server is on the wired network, but both computers are on the same subnet.

     

    The only firewall policy that's currently associated with the User Role is 'allowall':

    !

    ip access-list session allowall
    any any any permit

    !

    [...] 

    !
    user-role Staff
    access-list session allowall
    !

     

    When the wireless client tries to connect to the Windows share it fails, and the Aruba firewall shows a few denies for this client, specifically ports tcp 445 and tcp 139. Connecting to the same remote server from a wired client on the same subnet works without any problems.

     

    Why are some packets denied even though the only firewall rule is "any any any permit"?

     

    Thanks,

    Dan

     

     



  • 2.  RE: question about firewall policy (tcp 445 and tcp 139)

    EMPLOYEE
    Posted Nov 04, 2013 04:12 PM
    @dbau wrote:

    I have a Windows wireless client that needs to connect to a Windows share on a remote server via \\servername. The remote server is on the wired network, but both computers are on the same subnet.

     

    The only firewall policy that's currently associated with the User Role is 'allowall':

    !

    ip access-list session allowall
    any any any permit

    !

    [...] 

    !
    user-role Staff
    access-list session allowall
    !

     

    When the wireless client tries to connect to the Windows share it fails, and the Aruba firewall shows a few denies for this client, specifically ports tcp 445 and tcp 139. Connecting to the same remote server from a wired client on the same subnet works without any problems.

     

    Why are some packets denied even though the only firewall rule is "any any any permit"?

     

    Thanks,

    Dan

     

     

    Do you have an ACL on the uplink port of the controller, or is that VLAN untrusted?  Type "show acl hits" while you are accessing that share to see if the hits of any ACL goes up...

     



  • 3.  RE: question about firewall policy (tcp 445 and tcp 139)

    Posted Nov 04, 2013 05:15 PM

    No ACL on the uplink port of the controller, and the VLAN is trusted (VLAN 130 in this case):

     

    interface gigabitethernet 2/24

        description "gig2/24"
        trusted
        trusted vlan 1-4094
        switchport mode trunk
        switchport trunk native vlan 135
        switchport trunk allowed vlan 1,99,109-110,115,120,130-131,135,150,170,1038,1221

     

    "Show acl hits role Staff" output:

     

    User Role ACL Hits

    ------------------
    Role  Policy    Src Dst Service Action Dest/Opcode New Hits Total Hits Index
    ----  ------    --- --- ------- ------ ----------- -------- ---------- -----
    Staff allowall  any any any     permit             860      9036       8676 

     

     

     



  • 4.  RE: question about firewall policy (tcp 445 and tcp 139)

    EMPLOYEE
    Posted Nov 04, 2013 05:17 PM
    @dbau wrote:

    No ACL on the uplink port of the controller, and the VLAN is trusted (VLAN 130 in this case):

     

    interface gigabitethernet 2/24

        description "gig2/24"
        trusted
        trusted vlan 1-4094
        switchport mode trunk
        switchport trunk native vlan 135
        switchport trunk allowed vlan 1,99,109-110,115,120,130-131,135,150,170,1038,1221

     

    "Show acl hits role Staff" output:

     

    User Role ACL Hits

    ------------------
    Role  Policy    Src Dst Service Action Dest/Opcode New Hits Total Hits Index
    ----  ------    --- --- ------- ------ ----------- -------- ---------- -----
    Staff allowall  any any any     permit             860      9036       8676 

     

     

     

    Don't look for the hits ONLY for staff.  There could be a deny that overrules the permit.



  • 5.  RE: question about firewall policy (tcp 445 and tcp 139)

    Posted Nov 04, 2013 05:42 PM

    Will do, thanks! I'll report back.

    Dan