Traffic getting blocked after applying ACL on Cisco WLC 2504
Hello all, I have a cisco wireless controller 2504 running a guest wifi network and an internal wifi network. My access points are cisco air cap 2702. We have users authenticating to our radius server using 802.1x for internal network and browser login authentication for the guest network.
Just for info, our wireless controller is running software version 184.108.40.206
Everything has been running smoothly, until we wanted to apply an access list to the internal lan network. Once we apply the access list, our wireless client lose internet connectivity. I can authenticate to the wireless controller, and can ping internal addresses of host on our network, but am unable to access any web pages. I can ping websites by ip address but not by domain name. I try to visit web pages by ip address and by web address but cannot reach the page. Not only web browsing is limited. I have a rule to explicitly allow remote desktop to a particular server, but I am unable to remote connect. Everything gets resolved once the access control list is removed.
I have attached a screenshot of my rules so that you can review and notify if I am missing something. Thank you for any help in advance.
One thing you need to be aware of is that ACLs on the WLCs are not reflexive. You must explicitly allow the type of traffic in both directions. So if you are permitting anything to anything to destination UDP 69, then you would need to permit anything to anything with source UDP 69 to any destination UDP. You would have to do this for the rest of your flows. I hope this makes sense.
To make things simpler you can do an easier ACL where you would:
1. Permit all sources to all destinations on all ports and protocol "outbound" direction only
2. Permit all sources to any (if needed) internal destinations on the specific ports and protocols "inbound" direction only
3. Block all sources to all RFC 1918 on all ports and protocols "inbound" direction only
4. Permit all sources to all destinations on all ports and protocols
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...