Meraki

Community

Inbound Rule to entire inside subnet

Scott_Sassin
Just browsing
‎Aug 31 2020 11:44 AM
‎Aug 31 2020 11:44 AM

Inbound Rule to entire inside subnet

I'm having difficulty creating an inbound rule, that will allow one outside address to initiate communication with any host in one or many of the local subnets. 

 

For example, permit (outside interface source)  20.25.25.16 to (Inside Destination) 10.190.0.0/16, (ports 80,443,8018,8008).

0 Kudos
6 Replies 6
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 31 2020 11:53 AM
‎Aug 31 2020 11:53 AM

It’s kinda clearly explained on https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Using_Layer_3_Firewa...

In response to CptnCrnch
Scott_Sassin
Just browsing
‎Aug 31 2020 11:58 AM
‎Aug 31 2020 11:58 AM

Thanks for the reply. 

 

The link you posted, shows outbound connections.

 

I need to allow an inbound connection, coming in from the internet interface, from one source address, to be able to reach all hosts on the inside network, on certain ports.

0 Kudos
In response to Scott_Sassin
jdsilva
Kind of a big deal
‎Aug 31 2020 12:08 PM
‎Aug 31 2020 12:08 PM

Hey @Scott_Sassin,

 

You just hit on a use case that is not truly supported by the MX. In order to do this you'd have to create either individual port forwards, or 1:1/1:Many NAT entries for every inside host... Or more likely a combination of all three of these. None of those are good options for you, or going to actually be manageable. Sorry 😞

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to Scott_Sassin
DarrenOC
Kind of a big deal
Kind of a big deal
‎Aug 31 2020 12:25 PM
‎Aug 31 2020 12:25 PM

Hi @Scott_Sassin , the link that @CptnCrnch provided is correct.  Outbound rules are also treated as Inbound rules:

 

26DDB8DF-0818-4D96-BB6A-FBE78C27C227.png

So if you specify your internal subnet/s and ports as the source and then the external IP and ports as the destination 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 31 2020 2:10 PM
‎Aug 31 2020 2:10 PM

The most "typical" (and probably best) solution is to VPN into the network and access the hosts transparently.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
writ_er_relo
Here to help
‎Aug 31 2020 7:23 PM
‎Aug 31 2020 7:23 PM

"The inbound firewall will deny any traffic that does not have a session initiated by a client behind the MX. This allows internal client machines to connect with any resources they need, but does not let outside devices initiate connections with inside client machines. The exception to this is if a Port Forward or 1:1 NAT is created. "

 

Source:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_...

 

But, I can't think of a design where the original request would be fulfilled. You'd need to NAT, or port forward every client.

 

In your original question: how would the outside IP know how to differentiate between internal clients from the outside? 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.