Meraki

Community

How to Block external IP's on MX100

Solved
gparach
Here to help
‎Oct 3 2017 6:47 AM
‎Oct 3 2017 6:47 AM

How to Block external IP's on MX100

I need to enter IP filtering on the MX100 to keep certain IP's from trying to login to our mail server accounts causing them to lockout constantly. I do not have the option to only allow designated static IP's access to the mail IMap server. I also get monthly excel updates of Malware IP's and Domains that need to get blocked from/to our firewall. What method(s) will allow this?

0 Kudos
1 Accepted Solution
Tat0rt0t
Getting noticed
‎Oct 3 2017 1:13 PM
‎Oct 3 2017 1:13 PM

Perhaps the layer 7 section under Firewall you can deny a specified IP range?

View solution in original post

12 Replies 12
MijanurRahman
Getting noticed
‎Oct 3 2017 6:55 AM
‎Oct 3 2017 6:55 AM

This document explains this well:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Securit...

0 Kudos
In response to MijanurRahman
gparach
Here to help
‎Oct 3 2017 7:49 AM
‎Oct 3 2017 7:49 AM

This method wont work for users that don't have static IP addresses. I don't want an ALLOW list, I want a DIS-ALLOW list.

0 Kudos
In response to gparach
Mr_IT_Guy
A model citizen
‎Oct 4 2017 5:02 AM
‎Oct 4 2017 5:02 AM

@gparach wrote:

This method wont work for users that don't have static IP addresses. I don't want an ALLOW list, I want a DIS-ALLOW list.

Why don't you make a reservation for these users. This way they will have a static IP.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to Mr_IT_Guy
gparach
Here to help
‎Oct 4 2017 5:13 AM
‎Oct 4 2017 5:13 AM

Because they are Public IP cell phone users.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 3 2017 12:29 PM
‎Oct 3 2017 12:29 PM

Have you got an advanced security licence?  If so, go:

Security Appliance/Threat Protection/

AMP Mode=Enabled

Intrusion detection and prevention mode=Prevention

Ruleset=Security

 

Secuity Appliance/Content Filtering

Add: Bot Nets, Illegal, Malware Sites, Proxy Avoidance and Anonymlisers

 

Do the above till will gain you substantial protection - using dynamic lists rather than something manually configured.

In response to PhilipDAth
gparach
Here to help
‎Oct 4 2017 5:31 AM
‎Oct 4 2017 5:31 AM

I have the advanced functionality and am using it, but, I get advanced lists of known bad entities that I want to make sure are getting blocked.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 3 2017 12:31 PM
‎Oct 3 2017 12:31 PM

To only allow specific IPs to get to your IMAP service go:

Security Appliance/Firewall/Forwarding rules

 

 

Locate your IMAP forwarding rule.  Scroll across to the "Allowed remote IPs" columns.  Change "Any" to just the list of allowed remote IPs.  All others will be blocked.

Tat0rt0t
Getting noticed
‎Oct 3 2017 1:13 PM
‎Oct 3 2017 1:13 PM

Perhaps the layer 7 section under Firewall you can deny a specified IP range?

In response to Tat0rt0t
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 3 2017 1:21 PM
‎Oct 3 2017 1:21 PM

The layer 7 firewall blocks outbound requests, not inbound requests due to NATed ports.

0 Kudos
In response to Tat0rt0t
gparach
Here to help
‎Oct 4 2017 5:35 AM
‎Oct 4 2017 5:35 AM

I have been using this method but was not completely convinced it was working. I tried another test and it seems to work from what I can tell. The only problem is it is an inconvenient way to enter many entries.
Tat0rt0t
Getting noticed
‎Oct 3 2017 1:36 PM
‎Oct 3 2017 1:36 PM

@gparach So your post got me thinking and I spoke with out exchange admin as well about it. It does seem that we have no way to block specific IP's on a NAT statement. You can blacklist IP's however via exchange according to out exchange admin, but he did warn, if it is a attacker, They will just attack from another IP. His recommendation to solve this issue was the change the users account username for authentication. 

0 Kudos
In response to Tat0rt0t
gparach
Here to help
‎Oct 4 2017 5:24 AM
‎Oct 4 2017 5:24 AM

This isn't exchange email and changing the user account is temporary at best (until they discover it) and a huge inconvenience to re-distribute the users change out to all contacts. My upcoming email version has Two Factor Authentication that should alleviate this issue, however, there should still be something built into the Meraki firewall to add IP block lists to reject someone trying to probe you or break in.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.