What platform are you configuring this on?
- You should be configuring Session ACLs for user traffic (do not use extended).
- You should also be using built-in services for applications instead of configuring individual ports, TCP and UDP. Serivces for applications are stateful and have Application Level Gateways that look at sessions and not just tcp and udp port traffic.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: Jun 13, 2022 04:00 AM
From: Michael Lloyd
Subject: Aruba Wireless Controller ACL Question
We currently have an acl to block all access to internal resources. We want to open it up to some specific IP's for web traffic. We have added 140-151 as shown below but we still arent able to connect to those resources. Is there something im missing to be able to allow this?
ip access-list extended "Guest-ACL" 10 remark "Allow DNS and DHCP" 10 permit udp 0.0.0.0 255.255.255.255 172.20.82.10 0.0.0.0 eq 53 15 permit udp 0.0.0.0 255.255.255.255 172.20.82.127 0.0.0.0 eq 53 40 permit udp 0.0.0.0 255.255.255.255 168.170.19.254 0.0.0.0 eq 67 50 remark "Deny Internal Ranges" 50 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 60 deny ip 0.0.0.0 255.255.255.255 172.20.0.0 0.0.255.255 70 deny ip 0.0.0.0 255.255.255.255 172.26.224.0 0.0.0.255 80 deny ip 0.0.0.0 255.255.255.255 172.20.80.0 0.0.4.255 90 remark "Allow Internet Access" 140 permit tcp 0.0.0.0 255.255.255.255 172.20.82.130 0.0.0.0 eq 80 141 permit tcp 0.0.0.0 255.255.255.255 172.20.82.130 0.0.0.0 eq 443 145 permit tcp 0.0.0.0 255.255.255.255 172.20.82.19 0.0.0.0 eq 80 146 permit tcp 0.0.0.0 255.255.255.255 172.20.82.19 0.0.0.0 eq 443 150 permit tcp 0.0.0.0 255.255.255.255 172.20.82.102 0.0.0.0 eq 80 151 permit tcp 0.0.0.0 255.255.255.255 172.20.82.102 0.0.0.0 eq 443 exit