Wireless Access

Reply
Highlighted
MVP

AOS8 Controller as Router/Firewall and HowTo: Port-Forward

All of the threads regarding port-forwarding for Aruba Controllers are old and outdated. I've been through a few rounds with Controller as Public-Facing firewall and port-forwarding recently and thought I'd share my findings. In my scenario the Controller has a public-facing leg and many inside legs. It does all the routing and handles NAT. This is very much like the SD-Branch Gateway solution does it.

 

nat-inside vs nat-outside

* To ensure NAT for your user's internet-traffic - just add NAT-OUTSIDE on the public-facing interface of your controller. Thats it - no nat-inside on your internal vlan's.

The usecase for nat-inside would be if there is a subnet that only exist on your Controller (like Guest) and your Controller isn't the routing device. Add nat-inside to that vlan and the controller-ip will be used as src-nat address and the controller default-gateway doesn't need to know about this Guest subnet. That atleast is as far as I understood it - please correct me and/or add more usecases below and I'll update here.. ;)

 

secure your network

 * Here you want to create an ACL that allows just the necessary traffic to pass through. A Controller can also terminate tunnels from VPN users, RAP's or other Controllers, so make sure those are added too.

 

NOTE! If this is a customer and you want to manage this device from your corporate network, I suggest you create an alias (netdestination) for your corp-publicIP and add that as I've done here at the end

 

netdestination YOURCORP-PUBLICIP
host 13.14.15.16
!

ip access-list session OUTSIDE   any any svc-dhcp permit   any any svc-natt permit   any any svc-ike permit   any any svc-icmp permit   any any svc-esp permit any any svc-esp permit alias YOURCORP-PUBLICIP any any permit !

Then you add this list to the public facing interface as a session-based firewall policy:

 

Interface gigabitethernet 0/0/0
 description PUBLIC
 trusted
 trusted vlan 2000
 ip access-group session “OUTSIDE”
 switchport access vlan 2000
!

Ok, now that you've secured your Controller AND ensured that you can remotely administer it - you are tasked with doing *eep* port-forwarding.

 

In AOS 6.x the global firewall was default allow-all so you just had to create the port-forwarding rule in the session ACL and you were done.

 

In AOS 8.x the firewall is default deny-all. Note that all common ports and protocols are still open (ssh, https/http, telnet, ftp etc), it's the uncommon ones you need to specifically open. Lets take a look at how this is now accomplished.

 

Ex: You need to let 123.1.2.3 reach 10.2.3.4 using port 5678 both with TCP and UDP.

 

netdestination CUSTOMER-IP
 host 123.1.2.3
!

ip access-list session OUTSIDE
 alias CUSTOMER-IP any tcp 5678 dst-nat ip 10.2.3.4 5678
 alias CUSTOMER-IP any udp 5678 dst-nat ip 10.2.3.4 5678
!

firewall-cp
  ipv4 permit any proto 6 ports 5678 5678
  ipv4 permit any proto 17  ports 5678 5678
!

#TCP - protocol 6

#UDP - protocol 17

 

For a BranchGW administered in Central this gets a little trickier, but not much ;)

  • Alias = Security -> Aliases
  • ACL/Policy = Security -> Policy
  • firewall-cp ports = Security -> Advanced -> Acl White List
  • Then add the OUTSIDE ACL on the public facing interface as a per-session firewall policy

 

I think that pretty much sums it up for the topic I had in mind - so leave a comment and add kudos if you like it :)

 

Kudos goes out to Twinkle at Aruba TAC for your assistance during my nightmarish Sunday! 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted

Re: AOS8 Controller as Router/Firewall and HowTo: Port-Forward

Hi John,

Do we need a license for use Aruba mobility controller as a router in third party network environment?

Dinusha Chandrasinghe
Network Engineer -Enterprise System Solution @PlexusGlobal
ACMP | ACSA | ACCA | MCSA
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*


Highlighted
MVP

Re: AOS8 Controller as Router/Firewall and HowTo: Port-Forward

Yes, you need a pef license to activate the firewall. I suggest 1 pef + 1 ap license you can use a RAP also if you need to test the inside of the network - quite handy at times.. You could go with the PEF-V instead and you can use it as Aruba VIA VPN box, tho it's a fair bit more expensive.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted

Re: AOS8 Controller as Router/Firewall and HowTo: Port-Forward

Without PEF or AP,  does it support routing, nat and basic router features.

Dinusha Chandrasinghe
Network Engineer -Enterprise System Solution @PlexusGlobal
ACMP | ACSA | ACCA | MCSA
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*


Highlighted
MVP

Re: AOS8 Controller as Router/Firewall and HowTo: Port-Forward

I believe it does, but you should get this confirmed in a lab or by other peers here before you start buying the equipment 1 AP and 1 PEF-NG is a cheap security to have tho.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: