DMZ WLC PIX Rules

Unanswered Question

Guys Im trying to setup Guest access for our visitors.

I have 4 internal controllers up and running with v4.1.185 and no issues. We have just purchased an additional WLC that we want to setup on our DMZ for guest access.

We have done all required Anchor/Mobility configurations on all controllers (Internal & DMZ). I can ping to/from the internal controllers to the DMZ controller with no issues. But my mpings and epings are failing and my data and control paths are not all up. Im pretty sure that this is a PIX issue not allowing the correct ports to/from the controllers. Iam not a security guy ao Im a little confused on what configs need to happen on the PIX to allow these ports. Can someone please assist me with the PIX configurations?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Sun, 05/11/2008 - 17:36

You have these ports allowed correct?

Q. What ports do I need to permit for Lightweight Access Point Protocol (LWAPP) communication when there is a firewall in the network?

A. You must enable these ports:

Enable these UDP ports for LWAPP traffic:

Data - 12222

Control - 12223

Enable these UDP ports for Mobility traffic:

16666 - 16666

16667 - 16667

TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])

These ports are optional (depending on your requirements):

UDP 69 for TFTP

TCP 80 and/or 443 for HTTP or HTTPS for GUI access

TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access

Guys, I have passed along the list of ports that need to be open to our PIX support team (AT&T). I am not a security guy so i will like to know what these commands should look like so that i can confirm that AT&T is doing it correctly. If possible can someone please post what these commands should look like om the PIX? Any help would be great!!!

Thanks

Scott Fella Sun, 05/11/2008 - 18:16

I wish I had one from my clients, but they are all different. Depending on what inside devices are used for dns, tftp, etc, that will be unique per location. Just make sure they have these ports (12222, 12223, 16666, 16667, ip protocol 97) open both ways from the anchor wlc to all foreign wlcs in side (management ip). SNMP (udp 161, 162) need to be open both ways to your WCS if you have one.

Just have them put the rules in and if you have issues, have them post the pix config for that.

http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001094

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode