How to force credit card machine to use different WAN IP?

WarrenG
Getting noticed

How to force credit card machine to use different WAN IP?

We have a client who has a credit card machine on their LAN and it needs to communicate out over the Internet. As part of the compliance check, the credit card company will scan the source Internet address that the machine is coming from for any open ports such as 80 or 443. The client has an Internet connection with a block of 5 static IP addresses - how do I make the credit card machine communicate out using one of the static IPs other than the one configured on the WAN interface? And then I also need to be able to make sure if the IP is scanned, it does not show that any of the ports are open either. This is pretty straight forward with a SonicWALL, but seriously trying to figure this one out with a Meraki.

4 Replies 4
JamesC_AB
Here to help

I believe you should be able to achieve this using 1:1 NAT.

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

GaryShainberg
Building a reputation

Hi there,

 

I have many clients that are using card machines or Meraki networks and all of them are subject to the PCI/DSS compliance tests (in fact in the UK they get a surcharge each month if the check is not completed or fails).

 

Firstly I am not sure why you need to do anything other than plug it in and go, it should not need a static IP nor any 1:1 mapping, because the Meraki MX is a stateful firewall the card machine should just connect to the merchant service provider.

 

Secondly, for the PCI compliance when the company do a port scan looking for open ports, if they find them and report back to you (or your client) as long as you can explain why the ports are open and what measure you have in place to mitigate any breach, they will give you an exception.

 

An example would be for perhaps the POS till company who may need remote access to the tills for support, you would open the port for VNC but with access only to the specific till IP's - this is what you would then provide this as justification the card company for the VNC port being open.

 

******* C19 Side note for anyone who is reading this **********

There is a known issue with Ingenico PDQ machines being caused by excessive cleaning using sprays for COVID cleaning, the machines are seeing the liquid dripping behind the keys as an "attack" and locking the machines with an "Alert Irruption Error Message" and the only option is to have the machine replaced, which can take up to 10 days - the solution is only to wipe them with wipes and 

 

Spoiler

 

 

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~

Thanks Gary. To my knowledge the ability to offer an explanation for an exception is not an available option. At least not one that's ever been offered or mentioned to us. We only have port 443 open to the Internet that forwards SSTP VPN traffic to the internal Windows Server, but that is enough to get them dinged for not 'being secure'. I'll ask about the option to offer an explanation though, that's a good idea 👍

GaryShainberg
Building a reputation

@WarrenG How did you get on ?

 

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels