11-03-2014 06:51 AM - edited 07-05-2021 01:51 AM
Hello all, I have a cisco wireless controller 2504 running a guest wifi network and an internal wifi network. My access points are cisco air cap 2702. We have users authenticating to our radius server using 802.1x for internal network and browser login authentication for the guest network.
Just for info, our wireless controller is running software version 8.0.100.0
Everything has been running smoothly, until we wanted to apply an access list to the internal lan network. Once we apply the access list, our wireless client lose internet connectivity. I can authenticate to the wireless controller, and can ping internal addresses of host on our network, but am unable to access any web pages. I can ping websites by ip address but not by domain name. I try to visit web pages by ip address and by web address but cannot reach the page. Not only web browsing is limited. I have a rule to explicitly allow remote desktop to a particular server, but I am unable to remote connect. Everything gets resolved once the access control list is removed.
I have attached a screenshot of my rules so that you can review and notify if I am missing something. Thank you for any help in advance.
11-09-2014 02:00 PM
One thing you need to be aware of is that ACLs on the WLCs are not reflexive. You must explicitly allow the type of traffic in both directions. So if you are permitting anything to anything to destination UDP 69, then you would need to permit anything to anything with source UDP 69 to any destination UDP. You would have to do this for the rest of your flows. I hope this makes sense.
To make things simpler you can do an easier ACL where you would:
1. Permit all sources to all destinations on all ports and protocol "outbound" direction only
2. Permit all sources to any (if needed) internal destinations on the specific ports and protocols "inbound" direction only
3. Block all sources to all RFC 1918 on all ports and protocols "inbound" direction only
4. Permit all sources to all destinations on all ports and protocols
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide