AP vs. LWAPP through Firewall

Answered Question
Sep 27th, 2007
User Badges:

Got a good one for you, a customer has atonomous AP's here in a Wireless VLAN, 491 to be exact. Now the controller is all setup and the LWAAP AP's land and all is happy.

Customer has a an access-list on the Wireless VLAN, no, with the access-list removed, my LWAPP assotiation is fine and DHCP works fine and all is good. However, with the access-list on, LWAPP AP is fine (we added the LWAPP protocol), however, I can associate, but cannot get a DHCP address.

Now, before you say it is the access-list (which it is), I can associate to the Autonomous AP's and get a DHCP address no problem, same access list. All ports Cisco recommended to be open are on the access-list.

Any ideas?

Here is the access-list:

ip access-list extended GUEST-WIRELESS

10 permit udp any any eq 12222

20 permit udp any any eq 12223

30 permit udp any any range 16666 16667

40 permit udp any host 255.255.255.255 eq bootpc

50 permit udp any host 255.255.255.255 eq bootps

60 deny ip any 10.0.0.0 0.255.255.255

70 deny ip any 192.168.0.0 0.0.255.255

80 deny ip any 172.16.0.0 0.15.255.255

90 permit tcp 10.24.48.128 0.0.0.127 any eq www

100 permit tcp 10.24.48.128 0.0.0.127 any eq 443

110 permit tcp 10.24.48.128 0.0.0.127 any eq 22

120 permit tcp 10.24.48.128 0.0.0.127 any eq telnet

130 permit tcp 10.24.48.128 0.0.0.127 any eq pop3

140 permit tcp 10.24.48.128 0.0.0.127 any eq ftp

150 permit tcp 10.24.48.128 0.0.0.127 any eq ftp-data

160 permit udp 10.24.48.128 0.0.0.127 host 209.202.110.121 eq domain

170 permit udp 10.24.48.128 0.0.0.127 host 209.202.110.120 eq domain

180 permit tcp 10.24.48.128 0.0.0.127 155.201.0.0 0.0.255.255 eq 11160

190 permit udp any host 224.0.0.2 eq 1985

Correct Answer by paul.matthews about 9 years 7 months ago

The only denies you have in the list are;

60 deny ip any 10.0.0.0 0.255.255.255

70 deny ip any 192.168.0.0 0.0.255.255

80 deny ip any 172.16.0.0 0.15.255.255


Add logs to those to see what is being dropped. The log should tell you what port etc is being blocked.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paul.matthews Thu, 09/27/2007 - 07:25
User Badges:
  • Silver, 250 points or more

When trying to figure out why an access list is not working, I usually add the deny at the end, and add the log keyword, so I can see if it is something I have forgotten to permit. I would also add log to the end of any I suspect of getting in the way.


Paul.

jeff-therrien2 Thu, 09/27/2007 - 07:27
User Badges:

Thanks, I know that trick from years ago, however, in this case, I get no hits, so it must being denied further up the list.

Correct Answer
paul.matthews Thu, 09/27/2007 - 07:34
User Badges:
  • Silver, 250 points or more

The only denies you have in the list are;

60 deny ip any 10.0.0.0 0.255.255.255

70 deny ip any 192.168.0.0 0.0.255.255

80 deny ip any 172.16.0.0 0.15.255.255


Add logs to those to see what is being dropped. The log should tell you what port etc is being blocked.

Actions

This Discussion