Wireless Access

Frequent Contributor I

NAT with untrusted internet

Hi guys,


i have a new situation wehre i need to nat all client traffic to the internet and i got no firewall at this site. So i put the vlan to the provider on untrusted. The problem is that all traffic on the way back to the clients gets blocked (logon role). My thinking was that the pefng opens (stateful) the way back to the clients. What is here the preferred way to get the client access to the internet and block access to my infrastructue (if i trust the provider). How should be the acl look like on the vlan ? f.E. is my client network and .254 is the gateway and lets say i got one on the provider side (outside NAT address). Iam not sure if i block all traffic to the 222... the clients get traffic back. So currently i would block ssh and https on the 222. but isn't there a standard acl already for that situation with pefng lic ? and why is the back traffic not allows with untrusted ?


Thanks in advance !

Guru Elite

Re: NAT with untrusted internet

Please see the article here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-Connect-your-Aruba-Controller-to-a-Cable-Modem/m-p/951


You do not need to have the provider (public ip address) VLAN as untrusted.  If you are sending wired traffic to the internet, that is the VLAN that you would need to be untrusted.


On the ethernet uplink to the provider, there is an ACL to allow DHCP, but ONLY if you get your public address directly from the provider as DHCP.  If that ip address is static, you can just put that ip address on a separate VLAN interface, assign that VLAN to the uplink interface and make sure that the default gateway of the controller points to the next hop of the provider.  You would then have a "deny all" ACL, instead of one that allows DHCP assigned to that uplink interface.


In the user role for your clients, you can go ahead and block any traffic to, because they do not need to access it.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: