Traffic getting blocked after applying ACL on Cisco WLC 2504
Hello all, I have a cisco wireless controller 2504 running a guest wifi network and an internal wifi network. My access points are cisco air cap 2702. We have users authenticating to our radius server using 802.1x for internal network and browser login authentication for the guest network.
Just for info, our wireless controller is running software version 126.96.36.199
Everything has been running smoothly, until we wanted to apply an access list to the internal lan network. Once we apply the access list, our wireless client lose internet connectivity. I can authenticate to the wireless controller, and can ping internal addresses of host on our network, but am unable to access any web pages. I can ping websites by ip address but not by domain name. I try to visit web pages by ip address and by web address but cannot reach the page. Not only web browsing is limited. I have a rule to explicitly allow remote desktop to a particular server, but I am unable to remote connect. Everything gets resolved once the access control list is removed.
I have attached a screenshot of my rules so that you can review and notify if I am missing something. Thank you for any help in advance.
One thing you need to be aware of is that ACLs on the WLCs are not reflexive. You must explicitly allow the type of traffic in both directions. So if you are permitting anything to anything to destination UDP 69, then you would need to permit anything to anything with source UDP 69 to any destination UDP. You would have to do this for the rest of your flows. I hope this makes sense.
To make things simpler you can do an easier ACL where you would:
1. Permit all sources to all destinations on all ports and protocol "outbound" direction only
2. Permit all sources to any (if needed) internal destinations on the specific ports and protocols "inbound" direction only
3. Block all sources to all RFC 1918 on all ports and protocols "inbound" direction only
4. Permit all sources to all destinations on all ports and protocols
Listen: https://smarturl.it/CCRS8E33 Follow us: https://twitter.com/ciscochampion The goal for stadium and large venue Wi-Fi is to deliver an exceptional, fast, and reliable wireless experiences to tens of thousands of fan...
We are pleased to announce the immediate availability of the IOS-XE release 17.6.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:
This version now introduces experimental new feature, "Upgrade Advisor, targeted to one of common case generators: what are the supported versions and how to upgrade my current controllers and APs
It supports both AireOS and IOS-XE, covering since ...
Thank you for the overwhelming response to the First and Second EFT refresh of 8.10MR6!
We are excited to announce the third refresh of 8.10 MR6 EFT Program for PRODUCTION deployments.
While the CCO release of 8.10MR6 is just a few we...
Greetings!Thank you for the overwhelming response and feedback for the first 17.3.4 EFT/Beta release.
Now we are excited to announce the second refresh of 17.3.4 EFT/Beta Program for PRODUCTION deployments.
This release is the s...