Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Aruba RAP-3 and Cisco Firewall

This thread has been viewed 1 times

  • 1.  Aruba RAP-3 and Cisco Firewall

    Posted Dec 16, 2014 03:29 PM

    I have an Aruba RAP-3 that needs to communicate to the main site where the controller is at.  The traffic of the RAP-3 need to first go out through a Cisco firewall where the RAP-3 is at.  There is an access list on the INSIDE interface of the firewall that allows all TCP and UDP ports, and IPSec ports to be open for the RAP-3 so it can go out the fire wall and talk to the controller.  The RAP-3 is also NATTED with an external IP.   However, the RAP-3 cannot communicate to the controller.  From the controller I can ping and traceroute to the RAP-3, but I don't understand why the RAP-3 and the controller cannot communicate with each other via IPSec.



  • 2.  RE: Aruba RAP-3 and Cisco Firewall

    EMPLOYEE
    Posted Dec 16, 2014 03:43 PM

    Diagram, please.



  • 3.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 16, 2014 05:43 PM

    ARUBA 2.jpg



  • 4.  RE: Aruba RAP-3 and Cisco Firewall

    EMPLOYEE
    Posted Dec 16, 2014 07:20 PM

    jdeleon71,

     

    Does the Aruba controller have a natted public ip address on your firewall?  Are you allowing UDP 4500 traffic inbounds from any ip address to that natted public ip address on your firewall?  If your answer to both questions are yes, it should work fine.  

     

    Have you seen the Remote AP (RAP) VRD here:  http://www.arubanetworks.com/wp-content/uploads/RAPVRD_version_8.pdf  ?



  • 5.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 17, 2014 09:02 AM

    The Aruba controller's public IP would be the 10.1.1.71 as indicated on the diagram, and yes, I am allowing UDP 4500 traffic inbounds from any ip address to the natted ip address.



  • 6.  RE: Aruba RAP-3 and Cisco Firewall

    EMPLOYEE
    Posted Dec 17, 2014 09:04 AM

    Do you see "hits" on the firewall from the RAPs ip address?

    Did you provision the access point as a remote AP pointing to the address?

     



  • 7.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 17, 2014 01:21 PM

    I did provision the access point.  I do not see any hits on the firewall.  I did a packet capture and I see the packet going out the firewall, but I do not see anything coming back from the controller on the outside.  Do I need to do anything on the controllers' firewall?



  • 8.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 17, 2014 01:49 PM
    is it in the controllers whitelist?


  • 9.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 17, 2014 02:11 PM

    Do the following :

    - Make sure you have AOS 6.2 and up

    - From the Remote Location can you ping the Public IP address

    - Make sure you add VPN Pool to provide an Internal IP address 

    - Add the MAC address of the RAP to the RAP Whitelist

    - In the AP-Group add the PUBLIC IP Address to the provision > Master IP

    2014-12-17 14_04_05-AP Group.png

    - Factory Reset the RAP

    - Connect the Instant SSID and open a browser to reach instant.arubanetworks.com , login using admin/admin

    - From the Maintenance Tab 

    2014-12-17 14_07_58-Instant.png

    - Finally Click on Convert NOW

     

     

    -



  • 10.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 17, 2014 02:26 PM

    Yes.



  • 11.  RE: Aruba RAP-3 and Cisco Firewall

    Posted Dec 18, 2014 03:28 PM

    Thanks.  I would have skipped the provisioning profile step.  I have never used that before.  The rest had been done already.  The AP is up and operational, just want to make sure it comes up remotely.