Re: Cisco mobility express firewall ACL can't permit any

friesher.kuo · ‎11-17-2017

hi,

I enable cisco 1832/1852I ap-type to mobility express mode and enable WLAN firewall ACL.

But I can't permit any IP 0.0.0.0/0.0.0.0 for destination. refer attached pic.

even if I don't creat any acl, the traffic be still dropped. like having a hidden acl, it's deny all.

I don't know how to set permit any IP.

Flavio Miranda · ‎11-17-2017

ACL on Cisco WLC or mobility express is not the as firewall and usually is used for specific purpose. I'd say that there's no firewall on it.

Can you explain what you are try to accomplish?

-If I helped you somehow, please, rate it as useful.-

friesher.kuo · ‎11-17-2017

But this function is not work.

When enable firewall even if no any ACL or no any deny ACL, the client still can't connect to network.

The Cisco ME AP has the firewall function, that should be able use, even if you say it's not a firewall.

Flavio Miranda · ‎11-17-2017

Mate, there´s no possibility your user not getting into the AP or WLC due firewall.

enable debug on the WLC and let´s see the logs:

debug client "mac address"

-If I helped you somehow, please, rate it as useful.-

friesher.kuo · ‎11-17-2017

hi,

Sorry, I don't make my point clear.

when enable firewall, no any ACL or no any deny-ACL,

the client can connect to wifi, so client can connect into ap.

but they can't go to the other intranet or internet.

The client connect to wifi, but they can't use dhcp to get address or use static IP to intranet or internet.

just connect to wireless.

Flavio Miranda · ‎11-17-2017

Alright, that´s make sense.

Your pic is not available. Looks like you can put the destination ip and port then try to put any for both or 0.0.0.0 for IP destination. The source is probably your network.

Or you can disable firewall at all.

-If I helped you somehow, please, rate it as useful.-

friesher.kuo · ‎11-17-2017

hi,

I need a ACL for permit all, but I can't put 0.0.0.0 for destination IP/Mask.

Flavio Miranda · ‎11-17-2017

That´s great, isn't it? If we can´t put 0.0.0.0 or any how do Cisco suppose we can permit traffic to the internet?

I don't have one of them to test right here in front of me but when you put 0.0.0.0 as destination does it gives you an error?

friesher.kuo · ‎11-17-2017

friesher.kuo · ‎11-17-2017

Hi,

As previously provided pic, it shows error, "invalid address".

I can't put 0.0.0.0.

friesher.kuo · ‎11-19-2017

hi sir,

I already type 0.0.0.0 through the command. The wifi work normally.

But I still can't put 0.0.0.0 through the GUI.

I use the version 8.5.105.0.

friesher.kuo · ‎11-19-2017

hi,

I find the client can't get IP address using DHCP when enable firewall.

is this about enabling broadcast?

ncream · ‎05-17-2018

How can I input the 0.0.0.0 through CLI? The command syntax is?

m.andersson.se · ‎06-13-2018

Hi,

Did you get this working via ACL line in CLI even if not working in the GUI?

Ariq Ibne Aziz · ‎11-18-2018

Im having the same problem. Im using 1850i Mobility Express.
when i put the guest ACL for GUEST WLAN, I cant connect to the GUEST SSID.

Here is my Screenshot of my rules:

Now All i want to block the guest network traffic to access my System.
But when i enable the firewall rules, I simply cant connect to the SSID. Sometimes I can but most of the time i cant.

What might be the problem ?

Best Regards/ARIQ