Wireless Access

Contributor I

Interface Session ACL



my aruba controller is connected to the MZ and directly reachable from the internet.


We DNAT connections to the controller IPs to a internal system, but all other connections we want to block.


ip access-list session ExtInterface_ACL
  host x.x.x.x host x.x.x tcp 443  dst-nat ip x.x.x.x
  any any any  deny log

DNAT is working. If I observe the security log I can see other external systems "probing" TCP Ports and theese packets get blocked as expected.


But if I try to establish a connection via ssh to the IP Adress of this Interface I get a login promt.


#show acl hits

Port Based Session ACL
Policy                   Src   Dst         Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------                   ---   ---         -------------------  ------  -----------  --------  ----------  -----  ---------
validuser                any   any         any                  permit               5         55          53     ipv4
ExtInterface_ACL  any   controller  any                  deny                 12        12          1591   ipv4
ExtInterface_ACL  any   any         any                  deny                 10        10          1592   ipv4

I guess this is related to the validuser ACL?


If yes: There are no valid users behind this interface. How can I disable this ACL for this interface?

If not: Please tell where to search for a solution.


Thanks in advance!


Contributor I

Re: Interface Session ACL

I forgot one thing. If I want to make this port untrusted, I get the following message:


Illegal Operation: Cannot make the port untrusted. 



Search Airheads
Showing results for 
Search instead for 
Did you mean: