Meraki Community

Willkerrigan · ‎Jan 9 2024

Hello everyone,

I have a small question and I hope you can help me understand the issue.

In an environment with an MX250 Firewall and L3 on an MS250 switch,
I host a virtual machine in a 'DMZ' hosting a website that needs to be accessible from the internal network.

This 'DMZ' VLAN is created at the L3 switch level, and I've created an ACL to block internal traffic to it.

However, I need to provide access to this website to my internal users, some of whom are on a Meraki NAT WIFI network.
When I activate my ACL, my website is no longer accessible internally.

When I ping the name of my website, the public IP address of my firewall responds correctly.

And when I perform a trace route to the address, I still go through my internal network '10.3.1.1 = IP of my Firewall.'

Any idea how to make it accessible while still blocking the DMZ?

Thank you

alemabrahao · ‎Jan 9 2024

You should be blocking all services, and unused ports for this host but should allow the necessary web ports for management. This means you can modify your ACL to allow traffic on HTTP (port 80) and/or HTTPS (port 443) from your internal network to the DMZ.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Brash · ‎Jan 9 2024

Take a look at how hairpin routes are processed in Meraki.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX#...

If I'm reading it correctly, the MX will source the traffic from the LAN IP rather than the WAN IP and thus hitting your ACL.

Another good community thread on this is - Solved: HairPin Nat/Loop back NAT - The Meraki Community

Meraki Community

Firewall, DMZ and acl Access webSite

Firewall, DMZ and acl Access webSite