Meraki

Community

Does Meraki support refexive policies?

Solved
DunJer622
Building a reputation
‎Jan 20 2019 12:19 PM
‎Jan 20 2019 12:19 PM

Does Meraki support refexive policies?

Greetings,

 

I'm migrating our core SonicWALL hardware over to Meraki hardware and I've ran into a few issues.  One of them is reflexive policies or similar.  Basically, I have my MX250 with a bunch of MR33 units on the same network.  Wi-Fi to the Internet is working great.  However, my phones on Wi-Fi cannot access my email server (via MaaS360).  With SonicWALL, I just simply created NAT and firewall rules with reflexive policies and the phones synced whether they were on the network or not.  I've tried similar settings within the Meraki firewall settings, but no luck. 

 

Any ideas?

 

Thank you,

 

Jeremy 

0 Kudos
1 Accepted Solution
In response to DunJer622
DunJer622
Building a reputation
‎Feb 5 2019 8:56 AM
‎Feb 5 2019 8:56 AM

It was a matter of an incorrect default route and the requirement for LACP.  As for my original question, Meraki doesn't appear to use reflexive policies, as the one that I created for testing has never had a hit, and it is our Exchange Server.  Everything is now working, but some things are more transparent than others.

View solution in original post

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 20 2019 10:33 PM
‎Jan 20 2019 10:33 PM

It looks like MaaS360 is some kind on on-premise virtual appliance?

 

How do the clients find it?  Via DNS?  If so, is there seperate internal and external DNS entries being used to handle clients being inside or outside your network?

 

Is the SSID operating in bridge mode and just using your internal DNS servers?

 

0 Kudos
In response to PhilipDAth
DunJer622
Building a reputation
‎Jan 22 2019 12:51 PM
‎Jan 22 2019 12:51 PM

It is possible that my testing was compromised.  I'll be doing more testing this Saturday.  In our environment, MaaS360 uses ActiveSync to access our Exchange environment.  For this question, we have 3 impacted solutions.  We have a physical secure remote access (SRA) appliance and a virtual Exchange Server environment.  The Exchange environment is used for MaaS360 and OWA (Outlook Web Access).  As SRA and Exchange are public facing, we use NAT to access the private IP of the devices.  In my current environment, I have reflexive policies in place.  This is necessary, as the static public IP of the destination is actually already on the WAN environment of the same firewall managing the Wi-Fi (which causes traffic to stop without a return policy).  I generally have the Wi-Fi network completely isolated from the LAN environment.  I have at times made exceptions DNS and RDP.  Anyhow, I tried using the L3 Outbound rules to create a reflexive policy of the associated NAT policy.  No effect.  However, I was having other issues with my test environment that may have been coming into play.  I'll confirm on Saturday.  Oh, along that line, I need an internal device to leave with a specific public IP address.  In SonicWALL, this is also addressed by NAT.  Is it safe to assume that L3 outbound rules can accommodate that, too?

 

Thanks,

 

Jeremy

0 Kudos
In response to DunJer622
DunJer622
Building a reputation
‎Feb 5 2019 8:56 AM
‎Feb 5 2019 8:56 AM

It was a matter of an incorrect default route and the requirement for LACP.  As for my original question, Meraki doesn't appear to use reflexive policies, as the one that I created for testing has never had a hit, and it is our Exchange Server.  Everything is now working, but some things are more transparent than others.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.