Wireless Access

We currently have an acl to block all access to internal resources. We want to open it up to some specific IP's for web traffic. We have added 140-151 as shown below but we still arent able to connect to those resources. Is there something im missing to be able to allow this?  prepaidgiftbalance

ip access-list extended "Guest-ACL"
   10 remark "Allow DNS and DHCP"
   10 permit udp 0.0.0.0 255.255.255.255 172.20.82.10 0.0.0.0 eq 53
   15 permit udp 0.0.0.0 255.255.255.255 172.20.82.127 0.0.0.0 eq 53
   40 permit udp 0.0.0.0 255.255.255.255 168.170.19.254 0.0.0.0 eq 67
   50 remark "Deny Internal Ranges"
   50 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255
   60 deny ip 0.0.0.0 255.255.255.255 172.20.0.0 0.0.255.255
   70 deny ip 0.0.0.0 255.255.255.255 172.26.224.0 0.0.0.255
   80 deny ip 0.0.0.0 255.255.255.255 172.20.80.0 0.0.4.255
   90 remark "Allow Internet Access"
   140 permit tcp 0.0.0.0 255.255.255.255 172.20.82.130 0.0.0.0 eq 80
   141 permit tcp 0.0.0.0 255.255.255.255 172.20.82.130 0.0.0.0 eq 443
   145 permit tcp 0.0.0.0 255.255.255.255 172.20.82.19 0.0.0.0 eq 80
   146 permit tcp 0.0.0.0 255.255.255.255 172.20.82.19 0.0.0.0 eq 443
   150 permit tcp 0.0.0.0 255.255.255.255 172.20.82.102 0.0.0.0 eq 80
   151 permit tcp 0.0.0.0 255.255.255.255 172.20.82.102 0.0.0.0 eq 443
   exit​

What platform are you configuring this on?  

- You should be configuring Session ACLs for user traffic (do not use extended).
- You should also be using built-in services for applications instead of configuring individual ports, TCP and UDP.  Serivces for applications are stateful and have Application Level Gateways that look at sessions and not just tcp and udp port traffic.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 13, 2022 04:00 AM
From: Michael Lloyd
Subject: Aruba Wireless Controller ACL Question

We currently have an acl to block all access to internal resources. We want to open it up to some specific IP's for web traffic. We have added 140-151 as shown below but we still arent able to connect to those resources. Is there something im missing to be able to allow this?

ip access-list extended "Guest-ACL"   10 remark "Allow DNS and DHCP"   10 permit udp 0.0.0.0 255.255.255.255 172.20.82.10 0.0.0.0 eq 53   15 permit udp 0.0.0.0 255.255.255.255 172.20.82.127 0.0.0.0 eq 53   40 permit udp 0.0.0.0 255.255.255.255 168.170.19.254 0.0.0.0 eq 67   50 remark "Deny Internal Ranges"   50 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255   60 deny ip 0.0.0.0 255.255.255.255 172.20.0.0 0.0.255.255   70 deny ip 0.0.0.0 255.255.255.255 172.26.224.0 0.0.0.255   80 deny ip 0.0.0.0 255.255.255.255 172.20.80.0 0.0.4.255   90 remark "Allow Internet Access"   140 permit tcp 0.0.0.0 255.255.255.255 172.20.82.130 0.0.0.0 eq 80   141 permit tcp 0.0.0.0 255.255.255.255 172.20.82.130 0.0.0.0 eq 443   145 permit tcp 0.0.0.0 255.255.255.255 172.20.82.19 0.0.0.0 eq 80   146 permit tcp 0.0.0.0 255.255.255.255 172.20.82.19 0.0.0.0 eq 443   150 permit tcp 0.0.0.0 255.255.255.255 172.20.82.102 0.0.0.0 eq 80   151 permit tcp 0.0.0.0 255.255.255.255 172.20.82.102 0.0.0.0 eq 443   exit​