cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
0
Helpful
4
Replies

WLC 3504 WebGUI over VPN

kevweb638373153
Level 1
Level 1

Hello!

 

We manage the network for our customers, which concerns our products (conveyor technology). We are provided with two VLANs by the customer in which we can operate our devices (switches, WLC). Furthermore, in most cases we have a VPN VLAN connection to the customer for support.


for example:
Customer VLAN: 192.168.10.0/24 -> VLAN10
VPN VLAN: 192.168.174.0/24 -> VLAN174

VPN NAT address pool-> 172.29. *. *

 

We have already successfully implemented this with the switches and we can reach them via VPN.

 

for example:
Source IP 172.29.52.220 (NAT IP) -> 192.168.174.41 (switch)
SSH and Web connection successful

 

we also want to be able to manage the WLC with VPN via the WebGUI but unfortunately have a problem with the configuration.

 

The APs that the respective VLAN emits to operate our systems are connected to the management port (Port1) of the WLC.

In addition, I created a dynamic interface on the WLC (Port2), which I assigned an IP address from the VPN VLAN and also configured the command on the WLC:

 

"config network mgmt-via-dynamic-interface enable"

so that you can also access the WebGUI via this port. I also assigned NAT IP to the VLAN VPN IP:
172.29.52.220 -> 192.168.174.50

 

Ping to NAT IP 172.29.52.220 an translation to 192.168.174.50 successful but unfortunately no WebGUI available. (Connection timeout).

 

I can open the WebGUI from a PC that is in the VPN VLAN, so the configuration for the second interface basically looks good, but unfortunately not via the NAT IP address.

Description is a bit long now, I'm sorry but I hope you have an idea.

Is it even possible to access the WLC WebGUI via VPN or the Internet?

 

Thank you

4 Replies 4

Scott Fella
Hall of Fame
Hall of Fame
That is a kind of weird setup. Maybe what you should look at doing is use the service port instead of a dynamic interface. The service port is for oob management that allows everything that the management interface allows. Just make sure that the service port does not have connectivity to the management port.
-Scott
*** Please rate helpful posts ***

Hi Scott,

 

thanks for your reply.

 

The service port is a nice try but there is no field to set the gateway on that port. In the controller guidelines I found the part with adding a IPv4 route on the controller to reach the service port from a remote subnet. How would you, in relation to the described scenario, configure this static route? Do I have to assign an IP Adress of the VPN VLAN Subnet to the service port and pointing with the static route to this adress over the customer's default gateway (which is my VPN Endpoint with NAT)?

 

Sorry, I know it's a weird setup but a solution in this case would make my daily job more easier. :)

 

At the moment my only way to get access to the GUI is by an VPN-RDP session over a host in the same subnet like the management port is.

 

Thanks

Kevin

 

The SP is for L2 connection. I know folks whom have a dedicated port in the office that connects to the SP vlan. You can play around with the static route, I just never had to in all my past deployments.
-Scott
*** Please rate helpful posts ***

Never really tried on 3504 wlcs, but usually SP/management/oob ports doesn't need default gateway settings since they do not generate traffic, instead they are perfectly capable to reply to incoming traffic from remote hosts

Review Cisco Networking for a $25 gift card