Meraki

Community

ACL rules traffic between DMZ to LAN

hmc250000
Getting noticed
‎Jan 25 2023 1:10 PM
‎Jan 25 2023 1:10 PM

ACL rules traffic between DMZ to LAN

Is there a way to lock down machines sitting in the DMZ but still allow them to authenticate on the LAN by allowing traffic to specific destinations and ports? These rules need apply only to traffic between DMZ and LAN.

Labels:
0 Kudos
12 Replies 12
hmc250000
Getting noticed
‎Jan 25 2023 1:17 PM
‎Jan 25 2023 1:17 PM

I think I found what I need but any other resources are welcome.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

0 Kudos
In response to hmc250000
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 25 2023 1:39 PM
‎Jan 25 2023 1:39 PM

You found the answer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 25 2023 1:40 PM
‎Jan 25 2023 1:40 PM

I typically implement this with four blocks of lines in the Firewall rules:

Block1:

Allow DMZ-system to any needed destination on other VLANs

Block2:

Deny DMZ-Network to all RFC1918, this is the LAN and all other DMZs

Block3:

Allow needed traffic to "any" which is the internet in this case

Block4:

Deny DMZ-network to any

 

Yes, this is much easier with zones like on firepower. But it works good. And always remember that the Firewall-Rules do not control traffic to VPN-destinations. This is done in the Site-to-Site-VPN section.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed
‎Jan 26 2023 6:55 AM
‎Jan 26 2023 6:55 AM

We use private ip addresses in the DMZ. Is it possible to NAT (1 to many) between the DMZ and LAN using private ip addresses?

 

Maybe I'm missing something but from what I see so far the NAT rules either have to include public ip address or internet connection. 

0 Kudos
In response to hmc250000
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 10:28 AM
‎Jan 26 2023 10:28 AM

Why do you want to NAT here if it's going from private to private?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
hmc250000
Getting noticed
‎Jan 26 2023 10:58 AM
‎Jan 26 2023 10:58 AM

I would prefer the connection to initiate traffic from one side only. Besides that you could easily integrate with the rest of the network without having to worry about ip address overlaps.

0 Kudos
In response to hmc250000
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 12:47 PM
‎Jan 26 2023 12:47 PM

Allowing only to be initiated from one side is purely done with the ACL. No need for NAT. And if there is IP overlap inside of the network, something is severely wrong.

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
hmc250000
Getting noticed
‎Jan 30 2023 6:23 AM
‎Jan 30 2023 6:23 AM

? severely wrong? You could have a need to assign an already used subnet for an external site2site VPN for example. I can think of several instances where this is helpful. in smaller networks you probably will not have to deal with this. cisco is more flexible when it comes to these type of configurations.

0 Kudos
In response to hmc250000
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 30 2023 6:28 AM
‎Jan 30 2023 6:28 AM

I was referring to overlapping subnets *inside* your own controlled infrastructure (which is DMZ to internal communication). For Extranet S2S, yes, that is a different story, but with that the MX falls behind anyhow.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
hmc250000
Getting noticed
‎Jan 30 2023 6:53 AM
‎Jan 30 2023 6:53 AM

how would you configure this on a Meraki MX?

> Allowing only to be initiated from one side is purely done with the ACL.

0 Kudos
In response to hmc250000
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 30 2023 6:57 AM
‎Jan 30 2023 6:57 AM

The firewall rules are stateful. You only have to allow the initial packet for a traffic flow and the return traffic is allowed automatically. My way to make sure that not too much traffic is allowed is described at the beginning of this discussion.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
hmc250000
Getting noticed
‎Jan 30 2023 7:50 AM
‎Jan 30 2023 7:50 AM

Yes makes sense. Thanks.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.