Meraki

Community

Firewall not dropping packets as expected

HGME-JHJ
Comes here often
‎Oct 20 2020 2:21 AM
‎Oct 20 2020 2:21 AM

Firewall not dropping packets as expected

I have the below firewall rules. There exist a 192.168.33.0/24 network on a separate vlan. This network is only to be reached from 192.168.11.0/24, and should no be able to reach the Internet or anywhere else. While capturing packets on LAN, I still see packets to and replies from outside ip-addresses. No group policy applied to the network in question. What am I missing here?

 

I have tried to make a dedicated deny rule for source 192.168.33.0/24, and although the hit counter increments I still see outside packets when capturing.

HGME-JHJ_1-1603185150689.png

 

HGME-JHJ_0-1603185085387.png

 

0 Kudos
4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Oct 20 2020 3:20 AM
‎Oct 20 2020 3:20 AM

Are you using autovpn? Is 192.168.33.0 is a vpn subnet? Is  a default route used in the vpn?

0 Kudos
In response to ww
HGME-JHJ
Comes here often
‎Oct 21 2020 6:13 AM
‎Oct 21 2020 6:13 AM

No, 192.168.33.0 is not a VPN subnet.

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 20 2020 4:40 PM
‎Oct 20 2020 4:40 PM

Hi @HGME-JHJ , can your 192.168.33.x hosts access the internet from internal network and can it be reached via hosts that aren’t n the 192.168.11.x subnet?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
HGME-JHJ
Comes here often
‎Oct 21 2020 6:26 AM
‎Oct 21 2020 6:26 AM

I not sure about the 192.168.33.0/24, as the devices on this network is not available for me to test from. But I do have vpn access to the networks, and I am able to SSH into a SG300 switch in my management VLAN at network 192.168.128.0/24. From this switch I can ping both devices on other networks and targets on Internet, which neither should be possible. For instance I can ping from 192.168.128.11 to 192.168.11.10, which I intended to block.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.