ACL rules traffic between DMZ to LAN

hmc250000
Getting noticed

ACL rules traffic between DMZ to LAN

Is there a way to lock down machines sitting in the DMZ but still allow them to authenticate on the LAN by allowing traffic to specific destinations and ports? These rules need apply only to traffic between DMZ and LAN.

12 Replies 12
hmc250000
Getting noticed

alemabrahao
Kind of a big deal
Kind of a big deal

You found the answer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

I typically implement this with four blocks of lines in the Firewall rules:

Block1:

Allow DMZ-system to any needed destination on other VLANs

Block2:

Deny DMZ-Network to all RFC1918, this is the LAN and all other DMZs

Block3:

Allow needed traffic to "any" which is the internet in this case

Block4:

Deny DMZ-network to any

 

Yes, this is much easier with zones like on firepower. But it works good. And always remember that the Firewall-Rules do not control traffic to VPN-destinations. This is done in the Site-to-Site-VPN section.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed

We use private ip addresses in the DMZ. Is it possible to NAT (1 to many) between the DMZ and LAN using private ip addresses?

 

Maybe I'm missing something but from what I see so far the NAT rules either have to include public ip address or internet connection. 

KarstenI
Kind of a big deal
Kind of a big deal

Why do you want to NAT here if it's going from private to private?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed

I would prefer the connection to initiate traffic from one side only. Besides that you could easily integrate with the rest of the network without having to worry about ip address overlaps.

KarstenI
Kind of a big deal
Kind of a big deal

Allowing only to be initiated from one side is purely done with the ACL. No need for NAT. And if there is IP overlap inside of the network, something is severely wrong.

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed

? severely wrong? You could have a need to assign an already used subnet for an external site2site VPN for example. I can think of several instances where this is helpful. in smaller networks you probably will not have to deal with this. cisco is more flexible when it comes to these type of configurations.

KarstenI
Kind of a big deal
Kind of a big deal

I was referring to overlapping subnets *inside* your own controlled infrastructure (which is DMZ to internal communication). For Extranet S2S, yes, that is a different story, but with that the MX falls behind anyhow.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed

how would you configure this on a Meraki MX?

> Allowing only to be initiated from one side is purely done with the ACL.

KarstenI
Kind of a big deal
Kind of a big deal

The firewall rules are stateful. You only have to allow the initial packet for a traffic flow and the return traffic is allowed automatically. My way to make sure that not too much traffic is allowed is described at the beginning of this discussion.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
hmc250000
Getting noticed

Yes makes sense. Thanks.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels