Wireless Access

MVP Expert

AOS8 Controller as Router/Firewall and HowTo: Port-Forward

All of the threads regarding port-forwarding for Aruba Controllers are old and outdated. I've been through a few rounds with Controller as Public-Facing firewall and port-forwarding recently and thought I'd share my findings. In my scenario the Controller has a public-facing leg and many inside legs. It does all the routing and handles NAT. This is very much like the SD-Branch Gateway solution does it.


nat-inside vs nat-outside

* To ensure NAT for your user's internet-traffic - just add NAT-OUTSIDE on the public-facing interface of your controller. Thats it - no nat-inside on your internal vlan's.

The usecase for nat-inside would be if there is a subnet that only exist on your Controller (like Guest) and your Controller isn't the routing device. Add nat-inside to that vlan and the controller-ip will be used as src-nat address and the controller default-gateway doesn't need to know about this Guest subnet. That atleast is as far as I understood it - please correct me and/or add more usecases below and I'll update here.. ;)


secure your network

 * Here you want to create an ACL that allows just the necessary traffic to pass through. A Controller can also terminate tunnels from VPN users, RAP's or other Controllers, so make sure those are added too.


NOTE! If this is a customer and you want to manage this device from your corporate network, I suggest you create an alias (netdestination) for your corp-publicIP and add that as I've done here at the end


netdestination YOURCORP-PUBLICIP

ip access-list session OUTSIDE   any any svc-dhcp permit   any any svc-natt permit   any any svc-ike permit   any any svc-icmp permit   any any svc-esp permit any any svc-esp permit alias YOURCORP-PUBLICIP any any permit !

Then you add this list to the public facing interface as a session-based firewall policy:


Interface gigabitethernet 0/0/0
 description PUBLIC
 trusted vlan 2000
 ip access-group session “OUTSIDE”
 switchport access vlan 2000

Ok, now that you've secured your Controller AND ensured that you can remotely administer it - you are tasked with doing *eep* port-forwarding.


In AOS 6.x the global firewall was default allow-all so you just had to create the port-forwarding rule in the session ACL and you were done.


In AOS 8.x the firewall is default deny-all. Note that all common ports and protocols are still open (ssh, https/http, telnet, ftp etc), it's the uncommon ones you need to specifically open. Lets take a look at how this is now accomplished.


Ex: You need to let reach using port 5678 both with TCP and UDP.


netdestination CUSTOMER-IP

ip access-list session OUTSIDE
 alias CUSTOMER-IP any tcp 5678 dst-nat ip 5678
 alias CUSTOMER-IP any udp 5678 dst-nat ip 5678

  ipv4 permit any proto 6 ports 5678 5678
  ipv4 permit any proto 17  ports 5678 5678

#TCP - protocol 6

#UDP - protocol 17


For a BranchGW administered in Central this gets a little trickier, but not much ;)

  • Alias = Security -> Aliases
  • ACL/Policy = Security -> Policy
  • firewall-cp ports = Security -> Advanced -> Acl White List
  • Then add the OUTSIDE ACL on the public facing interface as a per-session firewall policy


I think that pretty much sums it up for the topic I had in mind - so leave a comment and add kudos if you like it :)


Kudos goes out to Twinkle at Aruba TAC for your assistance during my nightmarish Sunday! 


John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: