Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
10
Helpful
4
Replies

Query regarding CAPWAP connectivity through FTD

Go to solution
gavinhook
Level 1
Level 1

‎06-07-2022 02:58 AM

Hi,

I'm looking to configure rules on an FTD firewall to allow CAPWAP wireless traffic between Wireless Access Points and Wireless Access Controllers.  CAPWAP uses UDP ports 5246 & 5247 to encapsulate the wireless data.  I believe CAPWAP works in a similar way to GRE in that it encapsulates an inner packet with the main packet.

I know when configuring GRE rules (we use GRE for Aruba Wireless comms) through FTD, the rules need to be configured in the prefilter policy and action set to fastpath.

My question is - can CAPWAP rules be simply added as standard ACP rules or do these need to be configured as prefilter policy rules?

Thanks 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-07-2022 03:13 AM

Hi,

You can add them both ways and they will work. If you add them through
pre-filter and action fastpath (which I recommend), then they go with any
inspection (just allow/deny). This should be OK as CAPWAP is encrypted with
DTLS and there is no point of inspection.

If you allow them through ACP they will still work whether the action is
trust or allow. But this is an unnecessary inspection.

The GRE through pre-filter and action tunnel is a different concept of
inspecting encapsulated traffic. FTD can't inspect CAPWAP encapsulations
cuz its DTLS encrypted and they don't have preprocessors for this.

***** please remember to rate useful posts

View solution in original post

4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-07-2022 03:13 AM

Hi,

You can add them both ways and they will work. If you add them through
pre-filter and action fastpath (which I recommend), then they go with any
inspection (just allow/deny). This should be OK as CAPWAP is encrypted with
DTLS and there is no point of inspection.

If you allow them through ACP they will still work whether the action is
trust or allow. But this is an unnecessary inspection.

The GRE through pre-filter and action tunnel is a different concept of
inspecting encapsulated traffic. FTD can't inspect CAPWAP encapsulations
cuz its DTLS encrypted and they don't have preprocessors for this.

***** please remember to rate useful posts

Go to solution
MHM Cisco World
VIP
VIP
In response to Mohammed al Baqari

‎06-07-2022 03:32 AM

perfect answer 

0 Helpful

Go to solution
orghat
Level 1
Level 1
In response to Mohammed al Baqari

‎06-07-2022 03:53 AM

Can you advise on what the rules would need to look like to add to prefilter policy?  Is it just UDP 5246 & 5247 initiated from Wireless APs to Wireless Controller or does it need to be in both directions?  Or more than just this?

 

I see this old article:-

 

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html#anc8

 

Many Thanks in advance.

0 Helpful

Go to solution
gavinhook
Level 1
Level 1
In response to Mohammed al Baqari

‎06-07-2022 08:40 AM

Many thanks Mohammed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card