Firewall Rule Override

NC_Chris
Here to help

Firewall Rule Override

Hi,

 

I have a customer wanting to change their Sonicwall out for a MX250.  The problem I see is that their Sonicwall is based on zones so some of the rules on the Sonicwall do not have those subnets present on the firewall.  When moving to the MX250 if the subnet doesn't exist on the MX then I cannot add that rule.  In some of these cases there are physically no more addresses in the small subnet that I can use to add anything on the MX.  

 

At the end of the MX firewall rules I add my DENY ANY ANY and this is where my question comes.  If I did a port forwarding or a 1:1 NAT will those override and pass through the firewall even if those subnets do not match my firewall list or will they still be caught in the DENY ANY ANY rule?

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Huh?  You can put any IP address or subnet in a firewall rule, whether it exists on the MX or not.

NC_Chris
Here to help

When trying to add the rules for subnets that do not exist on the MX250 I get the error:

 

There were errors in saving this configuration:

  • The IP address range x.x.x.x does not apply to any configured local or VPN subnets.

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Can you post a screenshot if what you are trying to do?

CaptainBeRad
Here to help

I think you need to make a route to the subnet you are trying to make a rule for. If the subnet doesn't exist anywhere in the meraki I don't think they let you make it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels