Block Inbound Traffic on MX LAN interface

bayet
Getting noticed

Block Inbound Traffic on MX LAN interface

Is it possible to block inbound traffic from remote site connected via MPLS link which is connected on the LAN 1 interface of an MX-64 to prevent NAT. The LAN network of the site is connected on LAN 2 interface . The internet interface is for the local internet breakout. As far I can see, the L3 Firewall is for outbound traffic, but I was wondering if it possible to use this same L3 firewall rule in opposite direction to deny traffic sourcing from remote site's.

 

I'm not able to test this setup yet, as I'm working a configuration to replace other firewalls.

 

Thanks in advance.

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't clearly understand what you are getting to achieve. Could you give a specific examples with IP addresses.
bayet
Getting noticed

L3 firewall rules.PNG

bayet
Getting noticed

I trying to blocked traffic from entering the Site-A from Site-B, without having to update all the Debian Firewall rules. If I can blocked inbound traffic on the MX LAN interface, then I don't have to update the Debian. We are now replacing those firewalls with Meraki MX's.

bayet
Getting noticed

Hi PhilipDAth,
I did my best to explain my question in a drawing with IP addresses. I'm looking forward to see your reaction.

Thanks in advance
PhilipDAth
Kind of a big deal
Kind of a big deal

That is a good diagram!  I'm not 100% sure this will work, but I think it will.

 

You can assign a group policy to a VLAN.  So start  by creating a group policy (Network Wide/Group Policies), lets call it VLAN10 (you can call it anything you want).  Then go "Security Appliance/Addressing and VLANS", click on the VLAN you created, and select the group policy you created.

 

Then go into your new group policy and for "Firewall and traffic shaping" select "custom" to create layer 3 firewall rules.  Then create "deny" rules to block traffic to the other site.  Make sure you move the deny rules to the top, as the last rule is a permit.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels