MX Inbound Rules

Solved
Lorenzo1
Conversationalist

MX Inbound Rules

Apologies, if this question is going over old ground regarding inbound rules on an MX, but I'm new to meraki and still wrestling with some of the differences with a traditional L3 FW.


I have a requirement to use a cloud based threat & vulnerability scanning tool to scan branch office networks via non meraki vpn peers (Azure), with the branch infrastructure being MS switches and MR AP's.

 

Given that 'All Ports' will be need to be open for the scan operation, am I right in thinking that port forwarding isn't the answer, as it's not possible to forward a single TCP or UDP port to multiple LAN devices using port forwarding?

 

Appreciate any advice.

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

If you're connecting to the MX via VPN (non-Meraki or AutoVPN) then the Security & SD-WAN > Firewall configuration does not come into play (including port forwarding etc).   You do need to get your VPN configuration right though, to enable the desired subnets to communicate:  https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers

If the VLANs on the destination MX, that you need to scan, do not have VPN enabled, they will not be reachable.  This is configured under Security & SD-WAN > Addressing & VLANs

In terms of traffic filtering, the ones that affect in-VPN traffic are configured within the Security & SD-WAN > Site-to-site VPN menu.

View solution in original post

3 Replies 3
ww
Kind of a big deal
Kind of a big deal

There is no nat if you connect using vpn.

There are also no inbound firewall rules for vpn

Lorenzo1
Conversationalist

Thanks for the reply, looks like I'm out of options for this particular set of conditions.

GreenMan
Meraki Employee
Meraki Employee

If you're connecting to the MX via VPN (non-Meraki or AutoVPN) then the Security & SD-WAN > Firewall configuration does not come into play (including port forwarding etc).   You do need to get your VPN configuration right though, to enable the desired subnets to communicate:  https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers

If the VLANs on the destination MX, that you need to scan, do not have VPN enabled, they will not be reachable.  This is configured under Security & SD-WAN > Addressing & VLANs

In terms of traffic filtering, the ones that affect in-VPN traffic are configured within the Security & SD-WAN > Site-to-site VPN menu.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels