Wireless Access

 View Only

  • 1.  Using 7005 as firewall - have questions

    Posted Apr 25, 2020 02:40 AM
      |   view attached

    Hey all.  I'm trying to test a scenario where a branch has an extra controller hanging around and they have to reuse it for emergency purposes (like a country is shut down for covid and we can't get RMAs in).

     

    Wondering if anyone has done something like this, with a config close to mine...I can report, for simple configs, it's a worth while solution.  Where I'm running into an issue is WiFi calling and or NAT'ing.

     

    Here's my hierarchy/top level view to paint the picture. in simplest form.

     

    cable modem
    |
    |
    [aruba controller (acting firewall - Running OS 8.6.0.4)]
    (dynamic dhcp-client)

    192.168.250.1 /30
    |
    |
    [cisco switch] (core)
    192.168.250.2 /30

    192.168.254.2 /30
    |
    |
    [cisco switch] (distribution)
    192.168.254.1 /30

    10.1.150.1 /29
    10.2.200.0 /24
    |
    |
    [aruba controller] (wireless service)
    10.1.150.5 /29 (mgmnt subnet)
    10.2.200.2 /24 (wireless subnet)

     

     

    I've also included a txt file with configs that pertain to this setup.  From what I can tell, if I need to ssh remotely, to the controller directly, it works. HOWEVER, if I have a server 3 tiers under the "Firewall", I'm running into issues.  For illustrating purposes, it hangs off the second Cisco switch (distribution tier).

     

     

    Here are my pain points.

    1. WiFi calling is sporadic.  Sometimes I get wireless calls, sometimes I don't.  Usually, if I can't receive an inbound call or place an outbound call, I switch over to Cell Provider, go active on said call, then switch my wireless back on.

     

    2.  Texts/Messing are sporadic.  Sometimes back to back sending and receiving, then nothing for a short while, to then 1-25 at once. Not really, but you get the point.

     

    3.  Last issue I'm having like I said is routing the nat'd traffic to a server.

     

    I have tried a bunch of things...my routing is fine, internally.  I see ACLs being hit -- but it's not making sense.

     

    One thing I've realized is for V Wireless, you have to be able to allow inbound traffic off source port udp 4500.  My work around is use the PGNs as netdestinations, and do a session acl, using an alias.

     

    Anyway - Who's up for challenge?  Hoping someone can help me out.  

     

    hope ya'll are safe...many thanks in advance.

    Attachment(s)

    txt
    firewall.txt   1 KB 1 version


  • 2.  RE: Using 7005 as firewall - have questions
    Best Answer

    Posted Apr 25, 2020 04:11 AM

    Hi,

     

    I quickly checked your config and maybe you can do these changes (assuming this is testing environment and there is no impact if any issue happens)

     

    Your vlan 10 (internal vlan) is configured as trusted so you are not seeing any user in the "show user-table"

     

    If you change VLAN 10 to untrusted and assign it an initial role (it can be as simple as allowall), then you will be able to see the users in the show user-table. Traffic initiated from these users to the outside will be allowed so and you don't need to worry about the return traffic as the traffic was initiated from inside. This can solve some of the outbound issues. You can tighten the allowall to only allow specific traffic but make sure to allow OSPF in case you do so...

     

    user-role 10_corporate
    access-list session allowall

    aaa profile "AAA-profile-VLAN-10"
    initial-role 10_corporate

    vlan 10 wired aaa-profile "AAA-profile-10"

    !Removing vlan 10 from trusted list

    interface gigabitethernet 0/0/2
    trusted vlan 1-9,11-4094
    !
    interface gigabitethernet 0/0/3
    trusted vlan 1-9,11-4094
    !
    interface port-channel 1
    trusted vlan 1-9,11-4094
    !

    As for the inbound issue, I see you are using port 32400 which the controller doesn't listen to by default. You might want to change the firewall cp to allow this port to be forwarded..

     

    firewall cp
ipv4 permit any proto 6 ports 32400 32400

     



  • 3.  RE: Using 7005 as firewall - have questions

    Posted Apr 25, 2020 01:26 PM

    So the only thing I did, was allow 32400 in via the firewall cp  and this piece works now.  looks like I need to do some reading up on this.

     

    As for the wifi calling -- we will see how this works.  Like I said, this is very sporadic so it may be a short while for this to work.

     

    One thing to mention, if it wasn't very clear prior - this Aruba controller is merely working as a firewall/router.  It contains NO wireless connections on it.  The wireless connections are south of it on another controller.  Ultimately, this is why I chose not to run with the user roles.

     

    At this stage, I'm going to accept as a solution and close out the thread.  For anyone else -- i highly recommend looking at this if you're in dire need to get some sort of firewall up and running and you have a spare/extra Aruba wireless controller kicking around that you can spare.

     

    Many thanks for the support!



Related Content