Dumb question - allowing incoming pings to Internet 1 WAN from permitted hosts

Solved
AlexGregoire
Here to help

Dumb question - allowing incoming pings to Internet 1 WAN from permitted hosts

The MX default firewall changed and my Security Appliances now drop all external ICMPv4 pings. This is a good thing, except I'm really weak on how to create groups and objects to re-permit from expected sources, like monitoring apps/locations like my backbone ISP monitoring ping tests. It's complicated by the fact that my branch networks are bound to one shared template, so I can't individually configure each branch with a narrow firewall profile. 

 

Example, which re-enables tests from my hub campus to the remote branch LANs (via VPN):

PolicyRule DescriptionProtocolSourceSrc portDestinationDst port
AllowAllow pings - HubICMPv4Hub Private, Hub PublicAnyInternal LANs

Any

I can define 'Internal LANs' easily because they're all uniform. This is in place and works, easy enough.

 

I need:

AllowISP pingsICMPv4ISP IPv4 Addresses (or Any?) AnyExternal WAN Any

I need to know how to define the 'External WAN port' group or object without listing every branch MAC interface port, or IP address (most are dynamic at the mercy of the ISP), or inputing over 100 variables for my devices and tens of IP ranges for all of my varied ISPs. 

 

Thanks for any suggestions or recommendations.

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Do you have 

NAT Exceptions with Manual Inbound Firewall ( early access )

enabled ? 

 

You shouldn't have to configure inbound rules to allow ICMP inbound to your WAN appliance. Also this won't apply to traffic incoming from AutoVPN ( you don't have to include your HUBs private IPs ) 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Denying_Inbound_ICMP_on_the_MX

View solution in original post

2 Replies 2
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Do you have 

NAT Exceptions with Manual Inbound Firewall ( early access )

enabled ? 

 

You shouldn't have to configure inbound rules to allow ICMP inbound to your WAN appliance. Also this won't apply to traffic incoming from AutoVPN ( you don't have to include your HUBs private IPs ) 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Denying_Inbound_ICMP_on_the_MX

Ah ha  . . ! That effect wasn't clear in the documentation I skimmed when I turned it on. I was excited by the idea that I could have a branch-modifiable firewall changes while still having a template-bound overall firewall. 

That fixed it. And thank you for the guide link.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels