Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
3
Replies

AP vs. LWAPP through Firewall

Go to solution
jeff-therrien2
Level 1
Level 1

‎09-27-2007 07:09 AM - edited ‎03-05-2019 06:44 PM

Got a good one for you, a customer has atonomous AP's here in a Wireless VLAN, 491 to be exact. Now the controller is all setup and the LWAAP AP's land and all is happy.

Customer has a an access-list on the Wireless VLAN, no, with the access-list removed, my LWAPP assotiation is fine and DHCP works fine and all is good. However, with the access-list on, LWAPP AP is fine (we added the LWAPP protocol), however, I can associate, but cannot get a DHCP address.

Now, before you say it is the access-list (which it is), I can associate to the Autonomous AP's and get a DHCP address no problem, same access list. All ports Cisco recommended to be open are on the access-list.

Any ideas?

Here is the access-list:

ip access-list extended GUEST-WIRELESS

10 permit udp any any eq 12222

20 permit udp any any eq 12223

30 permit udp any any range 16666 16667

40 permit udp any host 255.255.255.255 eq bootpc

50 permit udp any host 255.255.255.255 eq bootps

60 deny ip any 10.0.0.0 0.255.255.255

70 deny ip any 192.168.0.0 0.0.255.255

80 deny ip any 172.16.0.0 0.15.255.255

90 permit tcp 10.24.48.128 0.0.0.127 any eq www

100 permit tcp 10.24.48.128 0.0.0.127 any eq 443

110 permit tcp 10.24.48.128 0.0.0.127 any eq 22

120 permit tcp 10.24.48.128 0.0.0.127 any eq telnet

130 permit tcp 10.24.48.128 0.0.0.127 any eq pop3

140 permit tcp 10.24.48.128 0.0.0.127 any eq ftp

150 permit tcp 10.24.48.128 0.0.0.127 any eq ftp-data

160 permit udp 10.24.48.128 0.0.0.127 host 209.202.110.121 eq domain

170 permit udp 10.24.48.128 0.0.0.127 host 209.202.110.120 eq domain

180 permit tcp 10.24.48.128 0.0.0.127 155.201.0.0 0.0.255.255 eq 11160

190 permit udp any host 224.0.0.2 eq 1985

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul.matthews
Level 5
Level 5
In response to jeff-therrien2

‎09-27-2007 07:34 AM

The only denies you have in the list are;

60 deny ip any 10.0.0.0 0.255.255.255

70 deny ip any 192.168.0.0 0.0.255.255

80 deny ip any 172.16.0.0 0.15.255.255

Add logs to those to see what is being dropped. The log should tell you what port etc is being blocked.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul.matthews
Level 5
Level 5

‎09-27-2007 07:25 AM

When trying to figure out why an access list is not working, I usually add the deny at the end, and add the log keyword, so I can see if it is something I have forgotten to permit. I would also add log to the end of any I suspect of getting in the way.

Paul.

0 Helpful

Go to solution
jeff-therrien2
Level 1
Level 1
In response to paul.matthews

‎09-27-2007 07:27 AM

Thanks, I know that trick from years ago, however, in this case, I get no hits, so it must being denied further up the list.

0 Helpful

Go to solution
paul.matthews
Level 5
Level 5
In response to jeff-therrien2

‎09-27-2007 07:34 AM

The only denies you have in the list are;

60 deny ip any 10.0.0.0 0.255.255.255

70 deny ip any 192.168.0.0 0.0.255.255

80 deny ip any 172.16.0.0 0.15.255.255

Add logs to those to see what is being dropped. The log should tell you what port etc is being blocked.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card