Wireless Access

last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Dedicated VIA VPN - RAP controller ACL on its public interface

This thread has been viewed 2 times

  • 1.  Dedicated VIA VPN - RAP controller ACL on its public interface

    Posted Sep 18, 2014 01:27 PM

    Hi, 

     

    We've dedicated 7220 controllers for RAPs & VIA VPN services.  

     

    We brought up 2 interfaces.  One is used on an internal VLAN for management.  The other is used on a publicly accessable VLAN interface for communication to VIA Clients & RAPs.  

     

    What kind of ACL can I apply on the public interface to restrict traffic to only those needed ports & protocols (udp 500, udp 4500, protocol 50) for RAPs & VIA VPN clients to work?  

     

    Is creating an access-list like so the way to go? 

     

    conf term
ip access-list session RAP-firewall
any any any deny
any any svc-ike permit
any any svc-natt permit
!

     

     

    & then apply this to my port. 

     

    conf term 
interface gig 0/0/1
ip access-group RAP-firewall 
!

     

     

    Would this suffice or is there a better way? 

     

    TIA, 

     

    --Raf

     

     

     

     

     

     


    #7220


  • 2.  RE: Dedicated VIA VPN - RAP controller ACL on its public interface
    Best Answer

    EMPLOYEE
    Posted Sep 18, 2014 01:28 PM

    That is exactly the way to do it!



  • 3.  RE: Dedicated VIA VPN - RAP controller ACL on its public interface

    Posted Sep 18, 2014 02:22 PM

    Thanks,

     

    Ended up adding ICMP for troubleshooting purposes. 

     

    ip access-list session VIA-RAP-firewall
  any any svc-natt  permit 
  any any svc-https  permit 
  any any svc-icmp  permit 
  any any any  deny 
!

     

    When time allows, I'll update ICMP to only allow from my organization's network. 

     

    Also, since the access-list I created was a session based ACL, I needed to supply a type when applying it to the interface. 

     

    (controller) #configure terminal interface gigabitethernet 0/0/1 ip access-group VIA-RAP-firewall 
% Incomplete command.

(controller) #configure terminal interface gigabitethernet 0/0/1 ip access-group VIA-RAP-firewall ?
in                      Apply access-list to interface's inbound traffic
out                     Apply access-list to interface's outbound traffic
session                 Apply session access-list to interface or Vlan

(controller) #show ip access-list VIA-RAP-firewall

ip access-list session VIA-RAP-firewall
VIA-RAP-firewall
----------------
Priority  Source  Destination  Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          svc-natt   permit                           Low                                                           4
2         any     any          svc-https  permit                           Low                                                           4
3         any     any          svc-icmp   permit                           Low                                                           4
4         any     any          any        deny                             Low                                                           4


(controller) #configure terminal interface gigabitethernet 0/0/1 ip access-group VIA-RAP-firewall session 
(controller) #

     

    Thanks,