Showing results for 
Search instead for 
Did you mean: 

Traffic getting blocked after applying ACL on Cisco WLC 2504

Hello all, I have a cisco wireless controller 2504 running a guest wifi network and an internal wifi network.  My access points are cisco air cap 2702.  We have users authenticating to our radius server using 802.1x for internal network and browser login authentication for the guest network.

Just for info, our wireless controller is running software version

Everything has been running smoothly, until we wanted to apply an access list to the internal lan network. Once we apply the access list, our wireless client lose internet connectivity.  I can authenticate to the wireless controller, and can ping internal addresses of host on our network, but am unable to access any web pages.  I can ping websites by ip address but not by domain name.  I try to visit web pages by ip address and by web address but cannot reach the page.  Not only web browsing is limited.  I have a rule to explicitly allow remote desktop to a particular server, but I am unable to remote connect.  Everything gets resolved once the access control list is removed.


I have attached a screenshot of my rules so that you can review and notify if I am missing  something.  Thank you for any help in advance.


Cisco Employee

One thing you need to be aware of is that ACLs on the WLCs are not reflexive. You must explicitly allow the type of traffic in both directions. So if you are permitting anything to anything to destination UDP 69, then you would need to permit anything to anything with source UDP 69 to any destination UDP. You would have to do this for the rest of your flows. I hope this makes sense. 

To make things simpler you can do an easier ACL where you would:

1. Permit all sources to all destinations on all ports and protocol "outbound" direction only 

2. Permit all sources to any (if needed) internal destinations on the specific ports and protocols "inbound" direction only

3. Block all sources to all RFC 1918 on all ports and protocols "inbound" direction only

4. Permit all sources to all destinations on all ports and protocols


Thank you for rating helpful posts! 

Recognize Your Peers
Content for Community-Ad