All of the threads regarding port-forwarding for Aruba Controllers are old and outdated. I've been through a few rounds with Controller as Public-Facing firewall and port-forwarding recently and thought I'd share my findings. In my scenario the Controller has a public-facing leg and many inside legs. It does all the routing and handles NAT. This is very much like the SD-Branch Gateway solution does it.
nat-inside vs nat-outside
* To ensure NAT for your user's internet-traffic - just add NAT-OUTSIDE on the public-facing interface of your controller. Thats it - no nat-inside on your internal vlan's.
The usecase for nat-inside would be if there is a subnet that only exist on your Controller (like Guest) and your Controller isn't the routing device. Add nat-inside to that vlan and the controller-ip will be used as src-nat address and the controller default-gateway doesn't need to know about this Guest subnet. That atleast is as far as I understood it - please correct me and/or add more usecases below and I'll update here.. ;)
secure your network
* Here you want to create an ACL that allows just the necessary traffic to pass through. A Controller can also terminate tunnels from VPN users, RAP's or other Controllers, so make sure those are added too.
NOTE! If this is a customer and you want to manage this device from your corporate network, I suggest you create an alias (netdestination) for your corp-publicIP and add that as I've done here at the end
netdestination YOURCORP-PUBLICIP
host 13.14.15.16
!
ip access-list session OUTSIDE
any any svc-dhcp permit
any any svc-natt permit
any any svc-ike permit
any any svc-icmp permit
any any svc-esp permit
any any svc-esp permit
alias YOURCORP-PUBLICIP any any permit
!
Then you add this list to the public facing interface as a session-based firewall policy:
Interface gigabitethernet 0/0/0
description PUBLIC
trusted
trusted vlan 2000
ip access-group session “OUTSIDE”
switchport access vlan 2000
!
Ok, now that you've secured your Controller AND ensured that you can remotely administer it - you are tasked with doing *eep* port-forwarding.
In AOS 6.x the global firewall was default allow-all so you just had to create the port-forwarding rule in the session ACL and you were done.
In AOS 8.x the firewall is default deny-all. Note that all common ports and protocols are still open (ssh, https/http, telnet, ftp etc), it's the uncommon ones you need to specifically open. Lets take a look at how this is now accomplished.
Ex: You need to let 123.1.2.3 reach 10.2.3.4 using port 5678 both with TCP and UDP.
netdestination CUSTOMER-IP
host 123.1.2.3
!
ip access-list session OUTSIDE
alias CUSTOMER-IP any tcp 5678 dst-nat ip 10.2.3.4 5678
alias CUSTOMER-IP any udp 5678 dst-nat ip 10.2.3.4 5678
!
firewall-cp
ipv4 permit any proto 6 ports 5678 5678
ipv4 permit any proto 17 ports 5678 5678
!
#TCP - protocol 6
#UDP - protocol 17
For a BranchGW administered in Central this gets a little trickier, but not much ;)
- Alias = Security -> Aliases
- ACL/Policy = Security -> Policy
- firewall-cp ports = Security -> Advanced -> Acl White List
- Then add the OUTSIDE ACL on the public facing interface as a per-session firewall policy
I think that pretty much sums it up for the topic I had in mind - so leave a comment and add kudos if you like it :)
Kudos goes out to Twinkle at Aruba TAC for your assistance during my nightmarish Sunday!