Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

L3 Firewall not allowing traffic

Solved
Johnny55
Here to help
‎Jul 13 2022 11:18 AM
‎Jul 13 2022 11:18 AM

L3 Firewall not allowing traffic

Hi folks

I have two rules:

 

Screen Shot 2022-07-13 at 4.07.19 PM.png

 

The second one DENY all traffic from subnet192.168.30.0 to subnet 192.168.10.0,
and the first one ALLOW from host 192.168.30.31 to server 192.168.10.147:51414/TCP.

 

Right now, the ALLOW rule has no effect, I do have some very clear logs showing me that 51414/TCP packets are blocked because of the DENY rule:
<134>1 1657686991.844793491 Meraki_MX100 flows src=192.168.30.31 dst=192.168.10.147 mac=00:50:56:BF:60:F3 protocol=tcp sport=36336 dport=51514 pattern: deny (dst 192.168.10.0/24) && (src 192.168.30.0/24)

 

Also, each subnet is on it's own vlan and I am not using any Group Policy on the vlans or the clients...



Please, tell me what I'm missing here...

Thanks!

EDIT: Following Ryan_Miles's comment, I replaced the screen capture.

Subscribe
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 13 2022 7:39 PM
‎Jul 13 2022 7:39 PM

Should be an easy fix ! 

 

Syslog shows : dport=51514 but the rule states 51414... 

View solution in original post

Subscribe
7 Replies 7
Johnny55
Here to help
‎Jul 13 2022 11:43 AM
‎Jul 13 2022 11:43 AM

I forgot to mention that if I remove the DENY rule, everything works as expected. Packets flowsssss to their destination...

0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jul 13 2022 12:21 PM
‎Jul 13 2022 12:21 PM

Looks like you should be using /32 masks on the allow rule. Not /24. If you fix that is there any change?

Subscribe
In response to Ryan_Miles
Johnny55
Here to help
‎Jul 13 2022 1:25 PM
‎Jul 13 2022 1:25 PM

Thanks @Ryan_Miles 

Yes I did a dumb mistake here...( ^_^)By dint of making changes I made that mistake... I was previously using /32 masks. So, I edited the allow rule, waited about 10 minutes, tested again and the firewall still blocks the packets.

(I have updated my post with a new screen capture and an edit comment.)

Subscribe
In response to Johnny55
Crocker
Building a reputation
‎Jul 13 2022 1:56 PM
‎Jul 13 2022 1:56 PM

Just for grins, I'd bounce the MX and then re-test. Then post the syslogs if it continues to block.

0 Kudos
Subscribe
In response to Crocker
Johnny55
Here to help
‎Jul 13 2022 3:32 PM
‎Jul 13 2022 3:32 PM

You mean reboot the unit @Crocker ?

0 Kudos
Subscribe
In response to Johnny55
Crocker
Building a reputation
‎Jul 13 2022 3:33 PM
‎Jul 13 2022 3:33 PM

Yeah

0 Kudos
Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 13 2022 7:39 PM
‎Jul 13 2022 7:39 PM

Should be an easy fix ! 

 

Syslog shows : dport=51514 but the rule states 51414... 

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.