Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating a DMZ with pair of mx250

merman01
Here to help
‎Oct 23 2023 12:13 PM
‎Oct 23 2023 12:13 PM

Creating a DMZ with pair of mx250

I have a pair of mx250 on our network boundary set with required policies and rules and all is ok.

 

Im looking at creating a sperate network within our network to keep some kit seperate (by hardware) for the rest of the network.

 

I want to have a dmz there between 2 new mx250 to control traffic in and out.

Is there any thing special or different I should do with the 2 MX that would suit a dmz / restricted network companed to the setup of mx250 for boundary / isp connections ?

 

Also to make them more secure should I have the dmz / mx250 / switches in the new restricted network in a seperate dashboard in case account is compromised ?

 

Are there any issues with having 2 seperate dashboards in the one site ?

 

Labels:
0 Kudos
Subscribe
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 23 2023 12:22 PM
‎Oct 23 2023 12:22 PM

Take a look at this.

 

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 23 2023 12:51 PM
‎Oct 23 2023 12:51 PM

It is very similar.

 

Typically you would create firewall rules between the DMZ and the inside of your network to limit an infected DMZ machine from spreading to internal devices.

Typically you just NAT into the DMZ from your public IP address space (which creates a natural type of firewall rules for inbound traffic to the DMZ from the Internet).

0 Kudos
Subscribe
In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Oct 23 2023 1:36 PM
‎Oct 23 2023 1:36 PM

We use WAF rules on a (non Meraki) firewall for WAN to DMZ and then normal rules from DMZ to LAN for any access required there as @PhilipDAth mentioned above.  I'm not sure if the MXs can act as a Web Application Firewall (WAF), the L7 rules might work like that.

Subscribe
In response to cmr
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 23 2023 2:03 PM
‎Oct 23 2023 2:03 PM

No, the MX cannot act as a WAF due to various limitations, the best thing would be to have a system like a BIG-IP to work with WAF.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.