Wireless Access

Reply
Occasional Contributor II
Posts: 12
Registered: ‎04-13-2010

question about firewall policy (tcp 445 and tcp 139)

I have a Windows wireless client that needs to connect to a Windows share on a remote server via \\servername. The remote server is on the wired network, but both computers are on the same subnet.

 

The only firewall policy that's currently associated with the User Role is 'allowall':

!

ip access-list session allowall
any any any permit

!

[...] 

!
user-role Staff
access-list session allowall
!

 

When the wireless client tries to connect to the Windows share it fails, and the Aruba firewall shows a few denies for this client, specifically ports tcp 445 and tcp 139. Connecting to the same remote server from a wired client on the same subnet works without any problems.

 

Why are some packets denied even though the only firewall rule is "any any any permit"?

 

Thanks,

Dan

 

 

Guru Elite
Posts: 21,579
Registered: ‎03-29-2007

Re: question about firewall policy (tcp 445 and tcp 139)

[ Edited ]

dbau wrote:

I have a Windows wireless client that needs to connect to a Windows share on a remote server via \\servername. The remote server is on the wired network, but both computers are on the same subnet.

 

The only firewall policy that's currently associated with the User Role is 'allowall':

!

ip access-list session allowall
any any any permit

!

[...] 

!
user-role Staff
access-list session allowall
!

 

When the wireless client tries to connect to the Windows share it fails, and the Aruba firewall shows a few denies for this client, specifically ports tcp 445 and tcp 139. Connecting to the same remote server from a wired client on the same subnet works without any problems.

 

Why are some packets denied even though the only firewall rule is "any any any permit"?

 

Thanks,

Dan

 

 


Do you have an ACL on the uplink port of the controller, or is that VLAN untrusted?  Type "show acl hits" while you are accessing that share to see if the hits of any ACL goes up...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎04-13-2010

Re: question about firewall policy (tcp 445 and tcp 139)

[ Edited ]

No ACL on the uplink port of the controller, and the VLAN is trusted (VLAN 130 in this case):

 

interface gigabitethernet 2/24

    description "gig2/24"
    trusted
    trusted vlan 1-4094
    switchport mode trunk
    switchport trunk native vlan 135
    switchport trunk allowed vlan 1,99,109-110,115,120,130-131,135,150,170,1038,1221

 

"Show acl hits role Staff" output:

 

User Role ACL Hits

------------------
Role  Policy    Src Dst Service Action Dest/Opcode New Hits Total Hits Index
----  ------    --- --- ------- ------ ----------- -------- ---------- -----
Staff allowall  any any any     permit             860      9036       8676 

 

 

 

Guru Elite
Posts: 21,579
Registered: ‎03-29-2007

Re: question about firewall policy (tcp 445 and tcp 139)


dbau wrote:

No ACL on the uplink port of the controller, and the VLAN is trusted (VLAN 130 in this case):

 

interface gigabitethernet 2/24

    description "gig2/24"
    trusted
    trusted vlan 1-4094
    switchport mode trunk
    switchport trunk native vlan 135
    switchport trunk allowed vlan 1,99,109-110,115,120,130-131,135,150,170,1038,1221

 

"Show acl hits role Staff" output:

 

User Role ACL Hits

------------------
Role  Policy    Src Dst Service Action Dest/Opcode New Hits Total Hits Index
----  ------    --- --- ------- ------ ----------- -------- ---------- -----
Staff allowall  any any any     permit             860      9036       8676 

 

 

 


Don't look for the hits ONLY for staff.  There could be a deny that overrules the permit.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎04-13-2010

Re: question about firewall policy (tcp 445 and tcp 139)

Will do, thanks! I'll report back.

Dan

Search Airheads
Showing results for 
Search instead for 
Did you mean: