Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6475
Views
5
Helpful
17
Replies

Cisco mobility express firewall ACL can't permit any

friesher.kuo
Level 1
Level 1

‎11-17-2017 12:09 AM - edited ‎07-05-2021 07:52 AM

hi,

 

I enable cisco 1832/1852I ap-type to mobility express mode and enable WLAN firewall ACL.

But I can't permit any IP 0.0.0.0/0.0.0.0 for destination. refer attached pic.

even if I don't creat any acl, the traffic be still dropped. like having a hidden acl, it's deny all.

 

I don't know how to set permit any IP.

invalid address-0.0.0.0.pngacl-any.png

 

 

3 people had this problem
Labels:
0 Helpful
17 Replies 17

lobermier@chaney
Level 1
Level 1
In response to Ariq Ibne Aziz

‎03-14-2019 02:43 PM

Did you ever figure this out? I'm up against the same issue and haven't found a way around it yet. Same symptoms, as soon as I enable the firewall option, guests can no longer connect to the Guest SSID. As if DHCP has become unavailable. The controller is doing DHCP for the wireless, so I've tried combinations of ACLs to allow communication to the controller IP, but nothing else. Still no luck. I may put in a call to Cisco if I can't get it on my next visit to this client.

0 Helpful

lobermier@chaney
Level 1
Level 1
In response to lobermier@chaney

‎03-21-2019 09:12 AM

For anybody that does land here, I thought it was odd but I had to explicitly allow DHCP Server broadcast traffic. I created a Permit rule ACL for UDP protocols with destination ports group "DHCP Server". Probably could have set more specific network ranges, but at this point it's working and I have the necessary Deny ACL's in place so I'm happy. 2019-03-21 11_08_59-Wireless.png

 

0 Helpful

kei10omo
Spotlight
Spotlight
In response to Ariq Ibne Aziz

‎03-18-2022 11:50 AM

I also have a good guest network configuration. Could you tell me the settings?

 

Does the ACL work in the IN direction or the OUT direction?

 

I only want to allow internet connection

 

I want to refuse communication between the same segment

 

 

 

internet------router(192.168.4.254)----2960L_POE-----aironet 1815x2(192.168.4.230)--------PC

 

■Router settings

manage network(untag)

ip: 192.168.4.0/24

gw:192.168.4.254

dns:192.168.4.254

dhcp range:192.168.4.1-192.168.4.254

 

guest network vlan91(tag)

ip: 192.168.91.0/24

gw:192.168.91.254

dns:192.168.91.254

dhcp range:192.168.91.1-192.168.91.253

 

■aironet

AP01 192.168.4.1

AP02 192.168.4.2

manage 192.168.4.230

 

■catalyst 2960L

interface GigabitEthernet0/1
switchport trunk native vlan 1
switchport mode trunk

 

interface GigabitEthernet0/2
switchport trunk native vlan 1
switchport mode trunk

 

interface Vlan1
ip address 192.168.4.253 255.255.255.0
!
interface Vlan91
ip address 192.168.91.253 255.255.255.0

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card