Meraki

Community

Internet access risks

Solved
franfm
Conversationalist
‎Aug 6 2018 3:37 AM
‎Aug 6 2018 3:37 AM

Internet access risks

Hello community,

 

A question that surrounds me and I wanted to comment with you:

 

If transport access (WAN) connected to my MX65 is a basic internet access (residential/non-business: xDSL, FTTH)

 

What are the real security risks?

 

For example: an hacker get remotely access local router (basic ftth) could I jump to MX:loca manage access, rest of end-points?

 

BR.-Fran

 

0 Kudos
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
‎Aug 6 2018 3:45 AM
‎Aug 6 2018 3:45 AM

https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Firewall_Settings

 

Note: In NAT mode, all inbound connections are denied except for ICMP traffic to the appliance, by default. If you want to allow additional inbound traffic, you will need to create a new port forwarding rule or NAT policy and explicitly allow connections based on protocols, ports, or remote IP addresses (see below).

Outbound connections are allowed by default. Customers may need to add a default deny rule for compliance and increased security.

View solution in original post

4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Aug 6 2018 3:45 AM
‎Aug 6 2018 3:45 AM

https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Firewall_Settings

 

Note: In NAT mode, all inbound connections are denied except for ICMP traffic to the appliance, by default. If you want to allow additional inbound traffic, you will need to create a new port forwarding rule or NAT policy and explicitly allow connections based on protocols, ports, or remote IP addresses (see below).

Outbound connections are allowed by default. Customers may need to add a default deny rule for compliance and increased security.

GiacomoS
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Aug 7 2018 6:38 AM
‎Aug 7 2018 6:38 AM

Hey @franfm,

 

In addition to @ww link, you can also disable the local status page from the Dashboard by going into Network-Wide > General > Device Configuration. 

 

This helps prevent users accidentally (or intentionally!) trying to access the local status page.

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
In response to GiacomoS
franfm
Conversationalist
‎Aug 7 2018 10:38 AM
‎Aug 7 2018 10:38 AM

Thanks guys.

 

OK, with which the only real risk to our endpoint/LAN in case of compromised the access router (ISP) would be a DoS attack on our MX?

 

Are you agree?

 

BR.Fran

0 Kudos
In response to franfm
ww
Kind of a big deal
Kind of a big deal
‎Aug 7 2018 12:40 PM
‎Aug 7 2018 12:40 PM

@franfm wrote:

Thanks guys.

 

OK, with which the only real risk to our endpoint/LAN in case of compromised the access router (ISP) would be a DoS attack on our MX?

 

Are you agree?

 

BR.Fran


i would rather care to educate users and secure and patch your endpoints as they are opening the connections to the public network and getting data into your lan.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.