ArubaOS and Controllers

Occasional Contributor II

Captive Port Internal DMZ Issue

I have setup a captive port config for guest access and it works great but we are unable to hit our internal web servers. I have tried assigning external dns servers so we would get the public ip address our internal network rule that blocks access to the internal network was causing it. Has anyone had this issue or can give me some ideas.

Guru Elite

Web Servers

If the firewall that is allowing your guest users to go out is the same firewall that you use to do the translation for the public addresses to internal addresses, you probably cannot do this. If you have the users do DNS resolution to your internal DNS servers this will help. Most people deny any guest traffic to internal destinations in the user role. You will have to place a rule(s) before that deny to allow users to reach those internal web servers.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Captive Port internal DMZ issue

Hi, we had something our dmz and default gateway use the same firewall device.

The capitve portal users only had access to external dns, there for would use the firewall server that was also acting as a nat device for (ext->int) services.

This is called 'hair pinning ' where the client had to be redirected from the firewall's internal interface back into the internal network.

We were using a cisco asa firewall device. The problem was fixed using rules that would allow for the above. But every service needed a complement rule. We finally
changed our captive portal to a different dmz (ext ip).

Occasional Contributor II

Captive Port internal DMZ issue

I rearranged the controller firewall rules and it was all better:

  • cplogout
  • Guest-Logon-Access (access list for what services are allowed before login)
  • Guest-Access (access list for what services are allowed after login)
  • Block Internal Networks (internal network list)
  • DMZ (our dmz server list)
  • Drop-and-Log

Search Airheads
Showing results for 
Search instead for 
Did you mean: