Adding an ACL from an ASA into the MX

MLucas1911
Here to help

Adding an ACL from an ASA into the MX

 

I'm migrating a client from an ASA to an MX. I'm trying to figure out the lack of inbound rules in Meraki to add my ACLs.

 

Example:  of my current ACLs

 

access-list outside_access_in extended permit tcp 22.x.x.x 192.168.x.100 object List_of_ports

access-list outside_access_in extended permit tcp 22.x.x.x 192.168.x.101 object List_of_ports

access-list outside_access_in extended permit tcp 22.x.x.x 192.168.x.102 object List_of_ports

 

Basically, I want one outside address to be able to get to a few internal addresses using the list of ports. Sounds like NAT or port forwarding. However, That one outside IP needs to get to 3 devices internally. when I've tried to add NAT or port forwarding, I can only use that outside address one time. I cant have a separate rule for each internal IP that they need access as it gives me an error that the remote IP cannot be in there twice.

 

I feel like one person getting me thinking the correct Meraki way and I'll be golden.....

10 REPLIES 10
NolanHerring
Kind of a big deal

Off the cuff, would the 1:Many NAT feature under Firewall configuration page accomplish what your trying to do?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Thanks for the quick reply, that may work i'll try. but I know with one to many NAT that I can only specify one port at a time and I have a list of 40+ ports in the object.

Not certain as I've never tried, but you might be able to use a comma or hyphen-range in the port field if that helps keep down the number of entries you have to input. If not then I guess your going to simply have to pour some coffee and get to clicking =P
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Lol, clicking away. Thanks for the help!

 

One to Many doesn't work. If I have try one 1:many then I can't duplicate ports for all three internal IPs, but if I try multiple 1:many (one per internal IP) then it doesn't allow me to duplicate outside IPs on multiple NAT. 

 

Not diggin Meraki right now...........

Can you provide a screenshot of the config your trying to do before you hit save.

I believe for this to work you will have to change the external port to different/unique port numbers if your trying to use the same internal port number (I could be wrong on this as never had to do it. Others on the forum here have more experience with this so hopefully someone else will respond)
Nolan Herring | nolanwifi.com
TwitterLinkedIn

I figured it out, In the ASA I had 1:1 NAT statements to each internal device, so I added those 1:1 NATs and then put the forwarding rule for the ports underneath each 1:1.

Just tested this in my lab.  I can use the same local port, if the public port is unique.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Glad to hear you got it working. So you ended up going with 1:1 instead of 1:Many? Thought you got an error about using the same public IP more than once? Or am I misunderstanding
Nolan Herring | nolanwifi.com
TwitterLinkedIn

I got an error with using multiple outside IPs when I tried port forwarding, then when I tried 1:many I got an error when I tried to duplicate ports or the outside IP. So I went with 1:1 NAT and added my forwarding rules under each 1:1

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels