cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
0
Helpful
4
Replies

DMZ WLC PIX Rules

carlos.perez
Level 1
Level 1

Guys Im trying to setup Guest access for our visitors.

I have 4 internal controllers up and running with v4.1.185 and no issues. We have just purchased an additional WLC that we want to setup on our DMZ for guest access.

We have done all required Anchor/Mobility configurations on all controllers (Internal & DMZ). I can ping to/from the internal controllers to the DMZ controller with no issues. But my mpings and epings are failing and my data and control paths are not all up. Im pretty sure that this is a PIX issue not allowing the correct ports to/from the controllers. Iam not a security guy ao Im a little confused on what configs need to happen on the PIX to allow these ports. Can someone please assist me with the PIX configurations?

Thanks

4 Replies 4

andrew.prince
Level 10
Level 10

Carlos,

Can you post the sanitised PIX configuration?

You have these ports allowed correct?

Q. What ports do I need to permit for Lightweight Access Point Protocol (LWAPP) communication when there is a firewall in the network?

A. You must enable these ports:

Enable these UDP ports for LWAPP traffic:

Data - 12222

Control - 12223

Enable these UDP ports for Mobility traffic:

16666 - 16666

16667 - 16667

TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])

These ports are optional (depending on your requirements):

UDP 69 for TFTP

TCP 80 and/or 443 for HTTP or HTTPS for GUI access

TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access

-Scott
*** Please rate helpful posts ***

Guys, I have passed along the list of ports that need to be open to our PIX support team (AT&T). I am not a security guy so i will like to know what these commands should look like so that i can confirm that AT&T is doing it correctly. If possible can someone please post what these commands should look like om the PIX? Any help would be great!!!

Thanks

I wish I had one from my clients, but they are all different. Depending on what inside devices are used for dns, tftp, etc, that will be unique per location. Just make sure they have these ports (12222, 12223, 16666, 16667, ip protocol 97) open both ways from the anchor wlc to all foreign wlcs in side (management ip). SNMP (udp 161, 162) need to be open both ways to your WCS if you have one.

Just have them put the rules in and if you have issues, have them post the pix config for that.

http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001094

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: