ACMP, Aruba Campus Access – Building Blocks – Policy Enforcement Firewall – # 2

By adminARUBA ACMA, Aruba ACMP, Aruba Campus Access Fundamentals, Aruba Mobility Conductor, Aruba Mobility Master 8.x, Implementing Aruba Campus Access,

Part 1

show-profile-hierarchy-1Download

Destination Alias

  • Network aliases can reference internal networks, groups of servers, or external servers.

Example Destination Aliases

  • Create the network destination rule.
netdestination corp-internal
   network 10.15.0.0 255.255.254.0
   network 10.15.2.0 255.255.255.0
   network 10.15.3.0 255.255.255.128
   network 10.15.3.128 255.255.255.192
   network 10.15.3.192 255.255.255.224
   network 10.15.3.224 255.255.255.224
  • Create a firewall policy/rule that allows full access to the internal servers using an alias.
ip access-list session ACL-PERMIT-INTERNAL-NETWORKS
   user alias corp-internal any permit
  • Associate the new policy with the existing user role.
user-role USER-ROLE-EMPLOYEE-1
   access-list session ACL-DENY-COMPANY-SECURITY-POLICY-EXAMPLE
   access-list session ACL-EMPLOYEE-VOICE
   access-list session ACL-DENY-CLIENT-AS-DHCP-SERVER
   access-list session ACL-PERMIT-INTERNAL-NETWORKS
   access-list session allowall

A quick note about positioning.

  • Firewall rules are processed from top to bottom.
  • Positioning of rules is extremely important.
  • You can use the “position” keyword to insert a rule into the desired location in numerical order.
  • Position number 1 is reserved for the “Global Session ACL,” and position number 2 is reserved for the role “default session.”

Example:

access-list session ACL-PERMIT-INTERNAL-NETWORKS position 1
Position 1 and 2 are reserved for Global and Role default session ACLs.

access-list session ACL-PERMIT-INTERNAL-NETWORKS position 2
Position 1 and 2 are reserved for Global and Role default session ACLs.

Look at the original rule and start counting from “3”

Original Rule:

user-role USER-ROLE-EMPLOYEE-1
   access-list session ACL-DENY-COMPANY-SECURITY-POLICY-EXAMPLE
   access-list session ACL-EMPLOYEE-VOICE
   access-list session ACL-DENY-CLIENT-AS-DHCP-SERVER
   access-list session allowall

Command

access-list session ACL-PERMIT-INTERNAL-NETWORKS position 6

New Rule:

user-role USER-ROLE-EMPLOYEE-1
   access-list session ACL-DENY-COMPANY-SECURITY-POLICY-EXAMPLE
   access-list session ACL-EMPLOYEE-VOICE
   access-list session ACL-DENY-CLIENT-AS-DHCP-SERVER
   access-list session ACL-PERMIT-INTERNAL-NETWORKS
   access-list session allowall

Wildcard character

In some cases, it is more efficient to utilize the wildcard character in rules. The “*” wildcard is a versatile tool for performing searches and matching patterns with variable or unknown content. It allows you to find and manipulate data efficiently in various computing contexts.

netdestination wildcard-example
   name *.example.com
   name *.app.example
   name *servers.app.example

Note: The Aruba WLC must be able to resolve DNS queries when using netdestination rules that contain URLs or domain names. 

cd /mm/mynode
ip name-server 4.2.2.1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.