Meraki

Community

VMX-M Inbound Security Group

Solved
Fabian1
Getting noticed
‎May 3 2021 11:10 PM
‎May 3 2021 11:10 PM

VMX-M Inbound Security Group

Hi everyone,

 

on the Meraki dashboard, I only can see outbound traffic firewall rules, that we have to open for the communication between Meraki cloud and the AWS Appliance.

Are there any inbound ports that needs to be open to the internet? At the moment, there is an any rule from the internet to the appliance, but we would like to optimize the security group, so we only allow all needed ports. Is there a list somewhere?

 

Thanks and best

Fabian

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 4 2021 3:30 PM
‎May 4 2021 3:30 PM

Don't forget, the VMX is a firewall.  You don't normally need to restrict traffic to it.

 

If you do wish to restrict traffic to it then configure manual NAT traversal.  Whatever port you choose, allow that in.  I would also allow ICMP for diagnostics.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_... 

 

Also, be careful limiting outbound access from the Azure side.  The VMX will need to be able to talk to any IP from remote MX that has an AutoVPN association with.  If you limit this, then AutoVPN can only bring up connections if the remote end does so.

This reduces the reliability of the system.  If the AutoVPN goes down to a peer, and that peer does not detect it, then the VPN will remain down and won't self heal.  If you allow the VMX to talk outwards to everything, then if either end detects a failure either end can repair the connection.  Much more reliable.

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 4 2021 3:30 PM
‎May 4 2021 3:30 PM

Don't forget, the VMX is a firewall.  You don't normally need to restrict traffic to it.

 

If you do wish to restrict traffic to it then configure manual NAT traversal.  Whatever port you choose, allow that in.  I would also allow ICMP for diagnostics.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_... 

 

Also, be careful limiting outbound access from the Azure side.  The VMX will need to be able to talk to any IP from remote MX that has an AutoVPN association with.  If you limit this, then AutoVPN can only bring up connections if the remote end does so.

This reduces the reliability of the system.  If the AutoVPN goes down to a peer, and that peer does not detect it, then the VPN will remain down and won't self heal.  If you allow the VMX to talk outwards to everything, then if either end detects a failure either end can repair the connection.  Much more reliable.

Chema-Spain
Getting noticed
‎Jun 28 2023 5:06 AM
‎Jun 28 2023 5:06 AM

Hi, then no NSG is required for vMX in Azure. I had seen in other post, https://ccietbd.com/2022/04/20/basic-anyconnect-on-azure-hosted-meraki-vmx  that Anyconnect would not work unless you configure inbound rules to allow TCP/443 and UDP/443 for vMX in nic/subnet associated NSG. However, I saw that post this morning, after deploying a vMX in Azure last week without associating any NSG. And Anyconnect worked fine. Maybe Meraki could have changed that behaviour recently. Thanks!

0 Kudos
In response to Chema-Spain
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 28 2023 12:52 PM
‎Jun 28 2023 12:52 PM

The trick, which that posts does not mention, is you must specify a zone of "none" when deploying.  And then it will work, as you describe.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.