Firewall rules on MX65 do not seem intuitive to me - looking for documentation to help lift the fog

Steven
Getting noticed

Firewall rules on MX65 do not seem intuitive to me - looking for documentation to help lift the fog

We have recently undergone the process of converting our MX65s from Passthrough mode to NAT mode and in so doing we have broken communication between certain devices.  For instance, each MX65 has a VLAN for Meraki Mgmt (VLAN 30 for APs, WIPS) and wireless clients (VLAN 40).  In passthrough mode, Operations was able to communicate directly with APs and WIPS on the Mgmt network (from Data Center -> Local Mgmt VLAN).  After converting they cannot.  In passthrough mode you're allowed to configure rules Inbound and Outbound.  In NAT mode you can only configure Outbound rules and under "Inbound" it just states: "Inbound traffic will be restricted to the services and forwarding rules configured below."  The rule we have for Mgmt VLAN, under the "Outbound" section, is:

 

Allow Any-Proto Src-Mgmt-Net Src-Port-Any Dst-Any Dst-Port-Any

 

Do I also need to create another rule like this (reverse of the first rule)?

 

Allow Any-Proto Src-DC-Nets Src-Port-Any Dst-Mgmt-Net Dst-Port-Any

 

I really don't get the significance of the term "Outbound" in the case where the mode changes from passthrough to NAT.  Outbound in relation to what?  I don't get why it changes the behavior of the "Inbound" rule section under Security Appliance -> Firewall

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

Does operations connect via a WAN port or an internal vlan? 

 

If they connect via a WAN port is it via  AutoVPN ? 

Adam
Kind of a big deal

The best way I've found to think about Meraki's approach to firewall rules is that you don't create rules to stop inbound/incoming traffic but instead you'd create the same rule to prevent outgoing/outbound traffic.  I'm not sure exactly why they take this approach since it seems slightly more vulnerable to me since the traffic could technically get to your device but your device won't reply.   

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MilesMeraki
Head in the Cloud

What were your reasons for turning the MX's to NAT Mode? As Phillip stated, how are the MX's connected to your network up-stream, WAN ports or LAN ports?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Steven
Getting noticed


@PhilipDAth wrote:

Does operations connect via a WAN port or an internal vlan? 

 

If they connect via a WAN port is it via  AutoVPN ? 


The MX65 is in NAT mode and performing AutoVPN functions and Ops is reaching the Mgmt network via the IPsec tunnel.

PhilipDAth
Kind of a big deal
Kind of a big deal

By default AutoVPN traffic permits all traffic.  The firewall for this are located:

Security Appliance/Site to Site VPN/[scroll down to Organization-wide settings]

 

Screenshot from 2018-02-19 07-23-40.png

Steven
Getting noticed


@PhilipDAth wrote:

By default AutoVPN traffic permits all traffic.  The firewall for this are located:

Security Appliance/Site to Site VPN/[scroll down to Organization-wide settings]

 

Screenshot from 2018-02-19 07-23-40.png


There's a wrinkle to the way this is being deployed that might have an impact on this recommendation.  The MX65 is in the path of a DMVPN solution but is only providing encryption.  In other words, the GRE tunnels are based on Cisco routers and terminate on ASR head end routers in each of our data centers.  Traffic to/from the Meraki mgmt network trombone on the 2921 at the branch.  For instance, traffic inbound to the branch (from the DC) would follow this path to get the Meraki MGMT network:

 

DC -> HE (GRE) -> MX600 -> Internet (IPsec) -> MX65 -> (GRE) -> 2921 -> MX65 (native IP) -> MGMT_Net.  The only network in the tunnel is a /30 between the MX65 and the router and effects only the GRE traffic.  

PhilipDAth
Kind of a big deal
Kind of a big deal

Also make sure the subnets you are trying to get to are included in the VPN under:

Security Appliance/Routing

MilesMeraki
Head in the Cloud

Yeah as @PhilipDAth has stated above, the common problem with this is not using "Yes" for the Use in VPN site to site VPN settings (Refer to below). This can be enabled via security appliance>site to site vpn.

 

 

Screen Shot 2018-02-19 at 8.48.16 PM.png

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Get notified when there are additional replies to this discussion.