Wireless Access

Hi all,

 

Need to access the switch which is behind the controller from an external network

 

The setup is as follows

 

=- 7000 series controller using 6.5 OS

 

=- PC1 is present in the external network

 

=- In the other location, we have ISP which is connected to controller then we have a switch

 

=- Switch's DG is the controller and controller's DG is the ISP

 

=- ISP has 1 public IP and even the controller has 1 public interface

 

=- Switch has private IP which is different from the controller subnet but controller has the switch's subnet as well

 

=- PC1 from an external network is now able to access the controller by typing the public IP present in the controller

 

=- Similarly, we are trying to access the switch which is behind the controller by typic <x.x.x.x controller's public IP>:random port no. Eg: 25.25.25.25:5000. When I type this, we should get the switch page

 

=- Am able to ping the controller's public interface from the external network

 

=- Am able to ping the switch from the controller and vice versa

 

 

==========================

 

 

 

Configuration

 

````````````````````

 

 

 

=- I have created a port based acl and mapped it to the controller's uplink as follows

 

 

 

=- Let's consider 25.25.25.25 as public interface in the controller and 5000 as random port to open the switch. 0/0/1 is the controller's uplink.

 

 

 

(config) #ip access-list session t-acl

 

(config-sess-t-acl)#any host 25.25.25.25 tcp 5000 dst-nat ip 10.0.0.5 5000

 

(config-sess-t-acl)#exit

 

(config) #interface gigabitethernet 0/0/1

 

(config-if)#ip access-group test-acl session

 

(config-if)#exit

 

 

 

=- So now from an external network, I should be able to access the switch by typing 25.25.25.25:5000 in the url but it doesn't work

 

=- Site cannot be reached.

 

Any help will be of great help as this is something very important.

 

Thank you in advance

 

Regards,

 

PS.

- Find out the public ip address that the request should be coming from

- type "show datapath session table <public ip address>" while you are making the request to see if the traffic is being blocked.

- make sure 10.0.0.5 is routable from the controller

Hi colin,

 

Thank you for your response. show datapath session table <public ip address> and also tried the client's IP it showed the traffic coming from the client but there is no response from the controller to the client.

 

make sure 10.0.0.5 is routable from the controller- Yes, there is reachability.

What are the flags on that session entry?  Is there a deny?

172.16.X.x[client's IP]   25.25.25.25[controller's public IP]

---

@cjoseph wrote:

What are the flags on that session entry?  Is there a deny?

---

  6    59618 60002  0/0     0    0   0   0/0/3       7    0          0          FDYC

There is no firewall

Type "show acl hits" and see if you can figure out which ACL could be blocking the traffic.

show acl hits doesnt show the dst-nat acls

There might be another ACL that is responsible for the denies.

I do not see any acl which is blocking the switch. 

Is the private IP address that you are trying to reach in the user table? We would need to know more about your setup to advise you. One way to do that could be a tac case. You have it configured correctly.