Blocking inbound traffic by country on a specific port

JF1
Getting noticed

Blocking inbound traffic by country on a specific port

Hi

 

We have an externally facing NAT rule that is being attacked from various international locations.

We want to restrict traffic from the source countries, however only for the port we are using on the NAT rule.

 

I can see using layer 7 firewall rules we can block traffic from countries, however is it possible to take this one step further and not only block traffic from a country but only for a particular port?

2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal

Unfortunately not. In your place I would remove the NAT, and allow access only via VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Badr-eddine
Getting noticed

I didn't find a straightforward solution using Meraki MX since it lacks this feature.However, I previously managed this task with legacy Cisco ASA firewalls :). The workaround involves manually creating objects at the Meraki organization level for each CIDR and organizing them into object groups for each country or region, then setting up corresponding firewall rules. For instance, you can explore IP CIDR or range by country using resources like this example: https://github.com/herrbischoff/country-ip-blocks

 

Another consideration for the most secure approach is to eliminate this attack surface altogether and replace direct access with VPN connectivity.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels