Meraki

Community

Block External IP Address

ED3573
Comes here often
‎Jan 10 2023 11:45 AM
‎Jan 10 2023 11:45 AM

Block External IP Address

How do I block an external IP address using a Layer 3 rule? I have created a network object and group but when I try to added to the source and if I give it on the destination field the rule doesn't work at all.

 

"Does not apply to any configured local or VPN subnets in the source field"

 

Is there anyway to create rule to block specific external IP address to not allow to get to internal resources? or this is not possible with the NAT rules.

Labels:
0 Kudos
6 Replies 6
BrandonS
Kind of a big deal
‎Jan 10 2023 11:52 AM
‎Jan 10 2023 11:52 AM

I'm pretty sure I just replied to your Reddit post 😉

 

You don't need to do anything.  External IP addresses cannot reach any internal resources unless you explicitly allow it with firewall rule/port forward.

 

 

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
ED3573
Comes here often
‎Jan 10 2023 11:58 AM
‎Jan 10 2023 11:58 AM

Thanks Brandon,
 
 
 
Well that's the thing we have a NAT rule for a webserver but I want to block an specific address, but the only thing I see is "Allowed remote IPs" over the NAT rule not block.
 
 
 
I have geoblock in place so what happens if I have an allowed country and one specific address from this allowed country is trying to brute force the web server?
0 Kudos
In response to ED3573
BrandonS
Kind of a big deal
‎Jan 10 2023 12:03 PM
‎Jan 10 2023 12:03 PM

I don't think there is a way to block a specific address or subnet in a NAT rule.  

 

You could drop them in the web server though, right?  And I guess you could put something upstream with ACL's to block specific IP addresses.

 

Do you have advanced security license?  You maybe able to do something there.

 

I have a similar situation with a FTPS server I maintain to send customer backups to.  It uses port 22 and gets hammered all day, every day.  I configured my server to block specific addresses and it also has a feature to auto block multiple failed attempts.

 

- Ex community all-star (⌐⊙_⊙)
0 Kudos
In response to ED3573
BrandonS
Kind of a big deal
‎Jan 10 2023 12:09 PM
‎Jan 10 2023 12:09 PM

I just had an idea actually.  Make a rule specifically allowing that IP and point it to a "black hole" like an IP address in a VLAN that goes nowhere and has access to nothing.  If you can move the rule to the top of the list it may (should?) trigger first and have the effect of blocking.

 

 

- Ex community all-star (⌐⊙_⊙)
0 Kudos
In response to BrandonS
ED3573
Comes here often
‎Jan 10 2023 1:48 PM
‎Jan 10 2023 1:48 PM

 

I cannot add public IP addresses using Layer 3 as source because they are not configured as a Subnet.

 

"Does not apply to any configured local or VPN subnets in the source field"

 

I don't know if this is the way, we have the Advance Security License, I did the following test I added a public IP into this L7 Rule

 

ksnip_20230110-163849.png

 

Proceed to access and it worked I wasn't able to access the web server from that specific public IP, would be nice if we had an official method of doing it with layer 3 or in the NAT were a clause block for doing it.

 

Thank you.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 11 2023 11:30 AM
‎Jan 11 2023 11:30 AM

You should be able to create an outbound firewall rule from the devices internal IP address to the public IP address you want to block, denying the traffic.  This wont stop the traffic coming in, but I think it might block the return traffic (you need to test this to verify).

 

Another method I haven't tried - but you could try creating a static route for the IP address you want to block and route it using the black hole method - to a local IP address on the LAN that does not exist.

 

RPF should caused packets that come in from the Internet to be blocked.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.