Is there a way to lock down machines sitting in the DMZ but still allow them to authenticate on the LAN by allowing traffic to specific destinations and ports? These rules need apply only to traffic between DMZ and LAN.
I think I found what I need but any other resources are welcome.
You found the answer.
I typically implement this with four blocks of lines in the Firewall rules:
Block1:
Allow DMZ-system to any needed destination on other VLANs
Block2:
Deny DMZ-Network to all RFC1918, this is the LAN and all other DMZs
Block3:
Allow needed traffic to "any" which is the internet in this case
Block4:
Deny DMZ-network to any
Yes, this is much easier with zones like on firepower. But it works good. And always remember that the Firewall-Rules do not control traffic to VPN-destinations. This is done in the Site-to-Site-VPN section.
We use private ip addresses in the DMZ. Is it possible to NAT (1 to many) between the DMZ and LAN using private ip addresses?
Maybe I'm missing something but from what I see so far the NAT rules either have to include public ip address or internet connection.
Why do you want to NAT here if it's going from private to private?
I would prefer the connection to initiate traffic from one side only. Besides that you could easily integrate with the rest of the network without having to worry about ip address overlaps.
Allowing only to be initiated from one side is purely done with the ACL. No need for NAT. And if there is IP overlap inside of the network, something is severely wrong.
? severely wrong? You could have a need to assign an already used subnet for an external site2site VPN for example. I can think of several instances where this is helpful. in smaller networks you probably will not have to deal with this. cisco is more flexible when it comes to these type of configurations.
I was referring to overlapping subnets *inside* your own controlled infrastructure (which is DMZ to internal communication). For Extranet S2S, yes, that is a different story, but with that the MX falls behind anyhow.
how would you configure this on a Meraki MX?
> Allowing only to be initiated from one side is purely done with the ACL.
The firewall rules are stateful. You only have to allow the initial packet for a traffic flow and the return traffic is allowed automatically. My way to make sure that not too much traffic is allowed is described at the beginning of this discussion.
Yes makes sense. Thanks.