AnyConnect blocked due to "new l3 Inbound FW rules" on MX

Solved
GregGriessel
Conversationalist

AnyConnect blocked due to "new l3 Inbound FW rules" on MX

Let me preface this with the fact that i have a open support case under investigation - but putting it out there for others 

 

My AnyConnect service on my MX stopped working suddenly , after Alot of trouble shooting - it seems that the new implementation of  the New MX 3 inbound FW rules block the AnyConnect clients connections.. 

 

Symptoms were the AC clients just timing out ..prior to auth 

 

No general Log entries 

 

i found that if i looked at the live firewall logs (under appliance status tools) then i saw the connections being denied  (by rule 0)

so i added in a L3 inbound rule - Any - Any on AnyConnect Port did the trick - although im not 100% happy with this as it opens the devices to all inbound connections to the service port (seems bad) 

 

That said surely this is something the AnyConnect Service should be doing ? and NOT a manual firewall entry ??

 

Anyone  else seeing this ? comments ? 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

Didnt play with it yet,

But the rule kicks in when you Are using early access "NAT Exceptions with Manual Inbound Firewall" 

 

You could concider turning it off if you dont need it

View solution in original post

5 Replies 5
jimmyt234
Building a reputation

What do you mean by: "the new implementation of the New MX 3 inbound FW rules" ?

Can you link the documentation describing this, please.

ww
Kind of a big deal
Kind of a big deal

Didnt play with it yet,

But the rule kicks in when you Are using early access "NAT Exceptions with Manual Inbound Firewall" 

 

You could concider turning it off if you dont need it

GregGriessel
Conversationalist

Thx WW you were 100% spot on with this - i must have enabled it and forgotten i did .. after disable and delete my Inbound FW rule - its working 

 

for others its this "early access feature" - https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Applia...

PhilipDAth
Kind of a big deal
Kind of a big deal

These two features are mutually exclusive.  They stopped working together maybe 12 to 18 months ago.

 

You can actually work around this by creating 1:1 NATs, in which the source and destination addresses are the same.  And another secret - the interface is actually ignored.  It does the NAT on all interfaces.

 

For example, this is a snippet of a customer I setup that uses a DMZ with a public IP address block.  I used a 1:1 for every public IP address in the block.  No need for the NO-NAT configuration in this case, and you can use AnyConnect.

 

PhilipDAth_0-1720429725601.png

 

jimmyt234
Building a reputation

Nice find @PhilipDAth, I will try to remember this for the future if a customer requires a no-NAT scenario due to having public IP subnet on a VLAN!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels