Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking inbound traffic by country on a specific port

JF1
Getting noticed
‎Feb 7 2024 2:34 AM
‎Feb 7 2024 2:34 AM

Blocking inbound traffic by country on a specific port

Hi

 

We have an externally facing NAT rule that is being attacked from various international locations.

We want to restrict traffic from the source countries, however only for the port we are using on the NAT rule.

 

I can see using layer 7 firewall rules we can block traffic from countries, however is it possible to take this one step further and not only block traffic from a country but only for a particular port?

0 Kudos
Subscribe
2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 7 2024 2:36 AM
‎Feb 7 2024 2:36 AM

Unfortunately not. In your place I would remove the NAT, and allow access only via VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Badr-eddine
Getting noticed
‎Feb 8 2024 12:34 AM
‎Feb 8 2024 12:34 AM

I didn't find a straightforward solution using Meraki MX since it lacks this feature.However, I previously managed this task with legacy Cisco ASA firewalls :). The workaround involves manually creating objects at the Meraki organization level for each CIDR and organizing them into object groups for each country or region, then setting up corresponding firewall rules. For instance, you can explore IP CIDR or range by country using resources like this example: https://github.com/herrbischoff/country-ip-blocks

 

Another consideration for the most secure approach is to eliminate this attack surface altogether and replace direct access with VPN connectivity.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.