AOS8 Controller as Router/Firewall and HowTo: Port-Forward
3 weeks ago - last edited 3 weeks ago
All of the threads regarding port-forwarding for Aruba Controllers are old and outdated. I've been through a few rounds with Controller as Public-Facing firewall and port-forwarding recently and thought I'd share my findings. In my scenario the Controller has a public-facing leg and many inside legs. It does all the routing and handles NAT. This is very much like the SD-Branch Gateway solution does it.
nat-inside vs nat-outside
* To ensure NAT for your user's internet-traffic - just add NAT-OUTSIDE on the public-facing interface of your controller. Thats it - no nat-inside on your internal vlan's.
The usecase for nat-inside would be if there is a subnet that only exist on your Controller (like Guest) and your Controller isn't the routing device. Add nat-inside to that vlan and the controller-ip will be used as src-nat address and the controller default-gateway doesn't need to know about this Guest subnet. That atleast is as far as I understood it - please correct me and/or add more usecases below and I'll update here.. ;)
secure your network
* Here you want to create an ACL that allows just the necessary traffic to pass through. A Controller can also terminate tunnels from VPN users, RAP's or other Controllers, so make sure those are added too.
NOTE! If this is a customer and you want to manage this device from your corporate network, I suggest you create an alias (netdestination) for your corp-publicIP and add that as I've done here at the end
ip access-list session OUTSIDE any any svc-dhcp permit any any svc-natt permit any any svc-ike permit any any svc-icmp permit any any svc-esp permit any any svc-esp permit alias YOURCORP-PUBLICIP any any permit !
Then you add this list to the public facing interface as a session-based firewall policy:
Interface gigabitethernet 0/0/0 description PUBLIC trusted trusted vlan 2000 ip access-group session “OUTSIDE” switchport access vlan 2000 !
Ok, now that you've secured your Controller AND ensured that you can remotely administer it - you are tasked with doing *eep* port-forwarding.
In AOS 6.x the global firewall was default allow-all so you just had to create the port-forwarding rule in the session ACL and you were done.
In AOS 8.x the firewall is default deny-all. Note that all common ports and protocols are still open (ssh, https/http, telnet, ftp etc), it's the uncommon ones you need to specifically open. Lets take a look at how this is now accomplished.
Ex: You need to let 220.127.116.11 reach 10.2.3.4 using port 5678 both with TCP and UDP.
netdestination CUSTOMER-IP host 18.104.22.168 ! ip access-list session OUTSIDE alias CUSTOMER-IP any tcp 5678 dst-nat ip 10.2.3.4 5678 alias CUSTOMER-IP any udp 5678 dst-nat ip 10.2.3.4 5678 ! firewall-cp ipv4 permit any proto 6 ports 5678 5678 ipv4 permit any proto 17 ports 5678 5678 !
#TCP - protocol 6
#UDP - protocol 17
For a BranchGW administered in Central this gets a little trickier, but not much ;)
- Alias = Security -> Aliases
- ACL/Policy = Security -> Policy
- firewall-cp ports = Security -> Advanced -> Acl White List
- Then add the OUTSIDE ACL on the public facing interface as a per-session firewall policy
I think that pretty much sums it up for the topic I had in mind - so leave a comment and add kudos if you like it :)
Kudos goes out to Twinkle at Aruba TAC for your assistance during my nightmarish Sunday!
-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!