Wireless Access

Hi, 

 

I have a setup like below. There will be some RAP units connecting from the outside to the controller.

 

-----private-net(vlan-2)-----Controller---Public-net---

 

I notice some ssh access attempted on the public interface of the controller. I want to protect the public-ip from mgmt access. 

 

I was trying to configure a policy that allow only the RAP's to connect on the public-ip and rest be droped. But still the vlan-2 traffic be "ip nat inside" and go to the internet.

 

I am confused on the Firewall policy configuration, how in, out and session works. I cannot untrust the public interface port. 

 

 

 

Simply create a session-based ACL allowing the inbound traffic you want and apply it to the outside interface. See the post below :

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Dedicated-VIA-VPN-RAP-controller-ACL-on-its-public-interface/m-p/202917

Hi 

 

literally the firewall policy "in" is incoming traffic, and "out" is outgoing traffic. 

 

session, its applied both way.. 

 

The port need not be untrusted, right? inorder for this applied policy to take effect...

Yes, session handles established connections. You don't need to make the port untrusted. Just apply the ACL to the port.