Create a DMZ on Cisco Meraki MX65 - Telephony Server

BenoitB
Comes here often

Create a DMZ on Cisco Meraki MX65 - Telephony Server

Hello,

 

I'm new to the management of Meraki MX.
We have a Cisco Meraki MX65.
At the time, we configured a permanent VPN connection with our cloud provider.
Then, we acquired a new Cisco Meraki MX65 to install it at our CEO.
And today we're trying to put our telephony server in a DMZ.
I don't know how we can do it. How to create a DMZ with our server which is in our network.
Any help would be really appreciated.

Thank you very much in advance,

 

Benoît

10 Replies 10
BrandonS
Kind of a big deal

Meraki actually has a nice doc that covers this exact scenario that should help.  

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

- Ex community all-star (⌐⊙_⊙)
kYutobi
Kind of a big deal

Creating a DMZ with the MX Security Appliance

 

TABLE OF CONTENTS

  1. Segment the network into VLANs
  2. Restrict inter-VLAN traffic using ACLs
  3. Forward desired traffic using NAT rules

The MX Security Appliance can be used to create a DMZ zone using VLANs, Firewall rules, and 1:1 NAT mappings. To do this, three things need to be accomplished:

  1. Segment the network using VLANs.
  2. Restrict inter-VLAN traffic using ACLs.
  3. Forward desired traffic using NAT rules.

In this example, the network will be divided into two zones.

  • Internal - Contains clients and other devices not directly reachable from the Internet, but able to initiate outbound communication.
  • DMZ - Contains public facing servers and services.

Within the DMZ there is a web server at 172.16.32.2, which should be reachable by all internal clients and any Internet hosts. However, no communication should be allowed to Internal hosts that is initiated by the web server, and only web traffic should be allowed between Internal hosts and the web server in the DMZ. Clients and the DMZ server are both connected to a downstream managed switch. Refer to the topology below.

 

 

Segment the network into VLANs

  1. Navigate to Configure > Addressing & VLANs.
  2. Ensure that Mode is set to Network Address Translation (NAT).
  3. Set VLANs to "Enabled" if not already done.
  4. Create local VLANs for the Internal and DMZ networks, as shown below.
     

     

  5. Ensure that the LAN port connecting to the downstream switch is configured to correctly handle the two VLANs. In this case, VLAN 1 (Internal) is native and untagged, while VLAN 2 (DMZ) is tagged.
    Note: Ensure that the downstream switch is correctly configured to match these settings on the port connecting to the MX.
     

     

  6. Click Save Changes

Restrict inter-VLAN traffic using ACLs

  1. Navigate to Configure > Firewall.
  2. Under Outbound rules, add the following layer 3 firewall rules.
    1. Allow TCP:80 traffic from the Internal VLAN to the web server.
    2. Allow TCP:443 traffic from the Internal VLAN to the web server.
    3. Block all other traffic from the Internal VLAN to the web server.
    4. Block all traffic from the DMZ VLAN to the Internal VLAN.
  3. Click Save Changes.
 

 

This will allow:

  • Internal clients and DMZ servers to communicate freely with the Internet.
  • Internal clients to access web resources on the web server.
  • Internet hosts to access web resources on the web server.
 

...while preventing:

  • Internal clients from access other resources on the web server or other DMZ servers (such as SSH or FTP).
  • DMZ servers from accessing internal clients, unless in reply (to prevent allowing access to the internal network if the web server is compromised).
  • Internet hosts from accessing internal clients.

Forward desired traffic using NAT rules

  1. Navigate to Configure > Firewall.
  2. Under 1:1 NAT, add a 1:1 NAT mapping as shown below.
    1. The Public IP should be the IP address being directed to the selected Uplink, which will be forwarded to the web server.
      Note: If using the public IP address on the MX itself, refer to the guide on port forwarding for this section.
    2. The LAN IP should be the IP address of the web server.
    3. Under Allowed inbound connections, select TCP ports 80 and 443 to forward web traffic to the web server.
    4. For Remote IPs enter "any", unless restricting to specific IP addresses or ranges.
  3. Click Save Changes.
 

 

Enthusiast
BenoitB
Comes here often

Hello,
Unfortunately, that doesn't work.
We have Site-to-Site VPN access with a cloud provider for our servers and when I create a new VLAN I lose connection with our servers and also internet access.

I have to put my smartphone in WiFi sharing to return to the Meraki portal and restore the good configuration.

 

I do this :

 

2020-12-02_09h13_56.png

Before, the configuration is Lan Setting --> Single LAN.

I try to change to VLANs, add ID 10 DMZ ... and SAVE.

Then I lose the connection.

 

An idee ?

 

Thanks,

BenoitB
Comes here often

Nobody can help me ? ;-(

 

Bruce
Kind of a big deal

Does everything still work when you first make the change to enable VLANs, without adding VLAN 10?

BenoitB
Comes here often

Hi,

Thanks for your answer.

No. No Internet.

What I see is I need to be on VLAN 10 with our Internet Provider (when you go to "Configure").

 

Now, in Addressing & VLANs, I'm in Single VLAN :

2020-12-07_09h39_37.png

 

When  I change to VLANs. I lose Internet connection.2020-12-07_09h41_00.png

Maybe do I need to change all network on VLAN10 ???

 

I'm not an expert on Cisco and networking 😞

 

KarstenI
Kind of a big deal
Kind of a big deal

Just a guess: After switching to VLAN-Mode, you did not assign the VLAN to the physical interfce(s) and applyed the config without that?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
BenoitB
Comes here often

Hi,

 

I've changed DHCP.

I have added the DNS from our Internet provider instead of Cloud provider.

Then, now, when I define vlan 1. I have always Internet but our VPN connection site-to-side is broken.
An idea ?

2020-12-07_13h40_45.png

2020-12-07_13h42_56.png

BenoitB
Comes here often

Hello,

Can someone help me on the solution of why I lose my VPN connection with my Cloud Provider when I switch the configuration to Multi-VLANs?

 

Maybe nat translation ???

 

Thanks,

Ben

Bruce
Kind of a big deal

You shouldn’t lose your connectivity just by switching from Single LAN to VLANs. The IP configuration of the MX as Single LAN gets copied across to VLAN 1. The only issue could be if the MX ports are not configured as Access Ports on VLAN 1 - this could be the case if there was a previous configuration on the MX. Make sure the ports are configured as Access, VLAN 1 and enabled, and you shouldn’t lose any connectivity. Once you’re at that starting point you can then move to creating the DMZ.

 

If all your ports are configured correctly and you’re still losing connectivity then I’d contact Support as it’s unlikely that you’ll get the assistance here that you need to troubleshoot this one.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels