Meraki

Community

Firewall rules on MX65 do not seem intuitive to me - looking for documentation to help lift the fog

Steven
Getting noticed
‎Feb 17 2018 5:46 AM
‎Feb 17 2018 5:46 AM

Firewall rules on MX65 do not seem intuitive to me - looking for documentation to help lift the fog

We have recently undergone the process of converting our MX65s from Passthrough mode to NAT mode and in so doing we have broken communication between certain devices.  For instance, each MX65 has a VLAN for Meraki Mgmt (VLAN 30 for APs, WIPS) and wireless clients (VLAN 40).  In passthrough mode, Operations was able to communicate directly with APs and WIPS on the Mgmt network (from Data Center -> Local Mgmt VLAN).  After converting they cannot.  In passthrough mode you're allowed to configure rules Inbound and Outbound.  In NAT mode you can only configure Outbound rules and under "Inbound" it just states: "Inbound traffic will be restricted to the services and forwarding rules configured below."  The rule we have for Mgmt VLAN, under the "Outbound" section, is:

 

Allow Any-Proto Src-Mgmt-Net Src-Port-Any Dst-Any Dst-Port-Any

 

Do I also need to create another rule like this (reverse of the first rule)?

 

Allow Any-Proto Src-DC-Nets Src-Port-Any Dst-Mgmt-Net Dst-Port-Any

 

I really don't get the significance of the term "Outbound" in the case where the mode changes from passthrough to NAT.  Outbound in relation to what?  I don't get why it changes the behavior of the "Inbound" rule section under Security Appliance -> Firewall

0 Kudos
8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 17 2018 10:58 AM
‎Feb 17 2018 10:58 AM

Does operations connect via a WAN port or an internal vlan? 

 

If they connect via a WAN port is it via  AutoVPN ? 

0 Kudos
In response to PhilipDAth
Adam
Kind of a big deal
‎Feb 17 2018 7:43 PM
‎Feb 17 2018 7:43 PM

The best way I've found to think about Meraki's approach to firewall rules is that you don't create rules to stop inbound/incoming traffic but instead you'd create the same rule to prevent outgoing/outbound traffic.  I'm not sure exactly why they take this approach since it seems slightly more vulnerable to me since the traffic could technically get to your device but your device won't reply.   

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
MilesMeraki
Head in the Cloud
‎Feb 17 2018 10:21 PM
‎Feb 17 2018 10:21 PM

What were your reasons for turning the MX's to NAT Mode? As Phillip stated, how are the MX's connected to your network up-stream, WAN ports or LAN ports?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to PhilipDAth
Steven
Getting noticed
‎Feb 18 2018 5:54 AM
‎Feb 18 2018 5:54 AM

@PhilipDAth wrote:

Does operations connect via a WAN port or an internal vlan? 

 

If they connect via a WAN port is it via  AutoVPN ? 

The MX65 is in NAT mode and performing AutoVPN functions and Ops is reaching the Mgmt network via the IPsec tunnel.

0 Kudos
In response to Steven
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 18 2018 10:24 AM
‎Feb 18 2018 10:24 AM

By default AutoVPN traffic permits all traffic.  The firewall for this are located:

Security Appliance/Site to Site VPN/[scroll down to Organization-wide settings]

 

Screenshot from 2018-02-19 07-23-40.png

0 Kudos
In response to PhilipDAth
Steven
Getting noticed
‎Feb 19 2018 12:21 PM
‎Feb 19 2018 12:21 PM

@PhilipDAth wrote:

By default AutoVPN traffic permits all traffic.  The firewall for this are located:

Security Appliance/Site to Site VPN/[scroll down to Organization-wide settings]

 

Screenshot from 2018-02-19 07-23-40.png

There's a wrinkle to the way this is being deployed that might have an impact on this recommendation.  The MX65 is in the path of a DMVPN solution but is only providing encryption.  In other words, the GRE tunnels are based on Cisco routers and terminate on ASR head end routers in each of our data centers.  Traffic to/from the Meraki mgmt network trombone on the 2921 at the branch.  For instance, traffic inbound to the branch (from the DC) would follow this path to get the Meraki MGMT network:

 

DC -> HE (GRE) -> MX600 -> Internet (IPsec) -> MX65 -> (GRE) -> 2921 -> MX65 (native IP) -> MGMT_Net.  The only network in the tunnel is a /30 between the MX65 and the router and effects only the GRE traffic.  

0 Kudos
In response to Steven
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 18 2018 10:29 AM
‎Feb 18 2018 10:29 AM

Also make sure the subnets you are trying to get to are included in the VPN under:

Security Appliance/Routing

0 Kudos
In response to PhilipDAth
MilesMeraki
Head in the Cloud
‎Feb 18 2018 11:49 PM
‎Feb 18 2018 11:49 PM

Yeah as @PhilipDAth has stated above, the common problem with this is not using "Yes" for the Use in VPN site to site VPN settings (Refer to below). This can be enabled via security appliance>site to site vpn.

 

 

Screen Shot 2018-02-19 at 8.48.16 PM.png

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.