Wireless Access

We have a guest network configured exactly as described in Aruba's literatire found here. It works great but when connected to it, we are unable to access any web site, hosted internally, that is available publically. 

 

Has anyone else come across this?

EDIT: Oops I misread your post. 

 

I've seend this before. In the scenario I had the firewall didn't know how to route the guest traffic to the sites. Have you got the firewall setup to allow Guest --> External site IP --> Internal site IP --> External Site IP - Guest?

 

JAmes,

 

Thanks for the response. I have our guest network on the controller configured exactly as described in Aruba's documentation. What changes can I make to get this to work? I'm not sure if I understand what you mean.

What exactly is happening?

Are the guest able to resolve the DNS name of your site? What does it resolve to (internal or external IP)?

Guest users are not able to ping or access any of our external sites and IPs. They can access any Internet site except for the sites that exist internally alongside the controller. It seems as if the guest VLAN on the controller doesn't have access to the external IPs of our internal sites. It tries to resolve the external IPs, not internal, which I would assume is correct, but can't.

 

There are no specific rules on the controller's firewall that I can see that's restricting this.

I'm confused by your response.

 

Can we clear this up...

 

1. If you ping one of the websites external DNS names, does it resolve it to an IP address? 
2. If yes for question 1. Does it resolve to the external IP address?

Sorry for the confusion.

 

1. No. If I ping one of our external DNS names, it attempts to ping the external IP, not the intenal, but it's unable to contact it and times out.

No worries.

 

Ok, so DNS is working and resolving to the correct IP addresses. I believe, the issue is likely going to be firewall related. Can you check your firewall to see if it's dropping/blocking this traffic?

 

I would try setting up a continuous ping to one of the sites then check the firewall for this traffic.

 

The firewall on the controller, our site's firewall, or both?

Your site firewall. :)

Nope nothing on the firewall. I'm inclined to think that the issue is on the controller, just not sure where to look as of yet.

Try browsing to the site and checking the "site firewall". ICMP is probably not allowed by your guest role.

You're correct. It looks like ICMP is not currently included in any of the roles. I can see traffic on our firewall generated when navigating to an accessible site, such as CNN.com, but if I attempt to navigate to one of our external IPs, there's nothing on the firewall. That leads me to believe that the traffic is not leaving the controller.

Ok. What are the firewall rules on the role that your guest user is on?

 

You can run #show rights <guest role> to find them.

 

Also try the following. Attempt to browse to on of the sites. Then immediately on the CLI do the following:

 

#show datapath session table <external site IP>

..where <external site IP> is the IP address of the website you're trying to access. Then post the result back here.

 

Here's some details about this command.

 

It will show if the traffic is being blocked on the controller.

 

(Aruba7210) #show rights auth-guest

 

Valid = 'Yes'

CleanedUp = 'No'

Derived Role = 'auth-guest'

Up BW:No Limit   Down BW:No Limit 

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Number of users referencing it = 1

Periodic reauthentication: Disabled

DPI Classification: Enabled

Youtube education: Disabled

Web Content Classification: Enabled

ACL Number = 94/0

Max Sessions = 65535

 

Check CP Profile for Accounting = TRUE

 

Application Exception List

--------------------------

Name  Type

----  ----

 

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

 

access-list List

----------------

Position  Name                   Type     Location

--------  ----                   ----     --------

1         global-sacl            session 

2         apprf-auth-guest-sacl  session 

3         cplogout               session 

4         guest-logon-access     session 

5         block-internal-access  session 

6         auth-guest-access      session 

7         drop-and-log           session 

 

global-sacl

-----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

apprf-auth-guest-sacl

---------------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

cplogout

--------

Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        

guest-logon-access

------------------

Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    any          udp 68                 deny                             Low                                                           4        

2         any     any          svc-dhcp               permit                           Low                                                           4        

3         user    Public-DNS   svc-dns                permit                           Low                                                           4        

block-internal-access

---------------------

Priority  Source  Destination       Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------       -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    Internal-Network  any                   deny                             Low                                                           4        

auth-guest-access

-----------------

Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    any          svc-http                permit                           Low                                                           4        

2         user    any          svc-https               permit                           Low                                                           4        

drop-and-log

------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    any          any                   deny               Yes           Low                                                           4        

AND

 

(Aruba7210) #show datapath session table 216.37.255.6

 

 

Datapath Session Table Entries

------------------------------

 

Flags: F - fast age, S - src NAT, N - dest NAT

       D - deny, R - redirect, Y - no syn

       H - high prio, P - set prio, T - set ToS

       C - client, M - mirror, V - VOIP

       Q - Real-Time Quality analysis

       I - Deep inspect, U - Locally destined

       E - Media Deep Inspect, G - media signal

       r - Route Nexthop

       A - Application Firewall Inspect

 

 

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags           

--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------

192.168.200.174 [EXTERNAL IP]    6    50616 80     0/0     0    24  0   tunnel 1167 3    4          256        SYTC            

[EXTERNAL IP]   10.0.0.101      6    80    50616  0/0     0    24  0   tunnel 1167 3    0          0          NY

 

So you're using source NAT on the traffic leaving the guest network.On your site firewall you should see the traffic attempting to get to 216.37.255.6 from your controllers IP address.

 

The outputs formthe show datapath command show that it'snot being blocked on the controller.

 

Is 10.0.0.101 the controller? 

 

(let me know if you want me to remove your IP addresses from this post)

 

Yes 10.0.0.101 is the controller. There's got to be something on our firewall that's preventing this but I'm not seeing the traffic as of yet. Unfortunately, my boss who administers the firewall is out today and I'll speak with him.

Yes if you can remove our external IP, I'd appreciate it. Thanks again.