Solved: Cisco WLC 5508 - ACL Permit-Deny

Riimeister · ‎02-12-2025

I have created an ACL rule in WLC where the goal is:
ip source: 10.20.116.0 / 255.255.255.0
dest: 10.0.0.0 / 255.0.0.0 (deny)

as I show like this.

the current result is,
dest to 10.20.111.240 (example) deny/reject
but the problem is that access to the internet (http and https) is also not possible.

what I need is ip source 10.20.116.0 dest http,https (internet) is permit

is there something wrong with the rule I created?

Riimeister · ‎02-12-2025

Solved, Thank @Flavio Miranda !
i try change the DNS on DHCP Scope segment 10.20.116.0/24 like this

View solution in original post

Flavio Miranda · ‎02-12-2025

@Riimeister

Use protocol any. You never know when the traffic towards internet will be TCP or UDP and DNS also use both TCP and UDP.

Riimeister · ‎02-12-2025

ok, so i try to change protocol tcp and udp to any become like this in below, right?

Sheraz.Salim · ‎02-12-2025

Yes would work. here are few link it will help you too

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81733-contr-acls-rle.html

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71978-acl-wlc.html

please do not forget to rate.

Riimeister · ‎02-12-2025

Thank u salim!

Flavio Miranda · ‎02-12-2025

For traffic to internet leave protocol and port as any. If you use TCP and HTTP/HTTPS, you are going to permit internet access only to web page, which is not correct.

leave protocol and port as any.

Riimeister · ‎02-12-2025

ok, so for sequence 2-3 I delete the tcp and udp protocols? leave protocol and port as any, so that internet traffic runs?

Flavio Miranda · ‎02-12-2025

Correct

Flavio Miranda · ‎02-12-2025

Dont forget to apply the ACL to the Dynamic interface

Riimeister · ‎02-12-2025

Thank u for help! sure i will apply ACL to dynamic Interfaces! i will test

Riimeister · ‎02-12-2025

I've tried it and the result is,

ping to google dns 8.8.8.8 works (permit)
ping to internal access 10.x.x.x (deny) - works
but, internet access is still not running even though the result of pinging google dns 8.8.8.8 works.

Riimeister · ‎02-12-2025

here the result of Traceroute

Flavio Miranda · ‎02-12-2025

This is DNS problem.

Try to resolve

nslookup www.google.com

Riimeister · ‎02-12-2025

result nslookup to google by name and ip

Flavio Miranda · ‎02-12-2025

You have no DNS response.

You need to check you DNS. What you can do for testing is manually config 8.8.8.8 as DNS on your machine