Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Inbound Rules

Solved
Lorenzo1
Conversationalist
‎Apr 26 2023 4:19 AM
‎Apr 26 2023 4:19 AM

MX Inbound Rules

Apologies, if this question is going over old ground regarding inbound rules on an MX, but I'm new to meraki and still wrestling with some of the differences with a traditional L3 FW.


I have a requirement to use a cloud based threat & vulnerability scanning tool to scan branch office networks via non meraki vpn peers (Azure), with the branch infrastructure being MS switches and MR AP's.

 

Given that 'All Ports' will be need to be open for the scan operation, am I right in thinking that port forwarding isn't the answer, as it's not possible to forward a single TCP or UDP port to multiple LAN devices using port forwarding?

 

Appreciate any advice.

Labels:
0 Kudos
Subscribe
1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:12 AM
‎Apr 26 2023 8:12 AM

If you're connecting to the MX via VPN (non-Meraki or AutoVPN) then the Security & SD-WAN > Firewall configuration does not come into play (including port forwarding etc).   You do need to get your VPN configuration right though, to enable the desired subnets to communicate:  https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers

If the VLANs on the destination MX, that you need to scan, do not have VPN enabled, they will not be reachable.  This is configured under Security & SD-WAN > Addressing & VLANs

In terms of traffic filtering, the ones that affect in-VPN traffic are configured within the Security & SD-WAN > Site-to-site VPN menu.

View solution in original post

0 Kudos
Subscribe
3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Apr 26 2023 5:23 AM
‎Apr 26 2023 5:23 AM

There is no nat if you connect using vpn.

There are also no inbound firewall rules for vpn

0 Kudos
Subscribe
In response to ww
Lorenzo1
Conversationalist
‎Apr 26 2023 6:54 AM
‎Apr 26 2023 6:54 AM

Thanks for the reply, looks like I'm out of options for this particular set of conditions.

0 Kudos
Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Apr 26 2023 8:12 AM
‎Apr 26 2023 8:12 AM

If you're connecting to the MX via VPN (non-Meraki or AutoVPN) then the Security & SD-WAN > Firewall configuration does not come into play (including port forwarding etc).   You do need to get your VPN configuration right though, to enable the desired subnets to communicate:  https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers

If the VLANs on the destination MX, that you need to scan, do not have VPN enabled, they will not be reachable.  This is configured under Security & SD-WAN > Addressing & VLANs

In terms of traffic filtering, the ones that affect in-VPN traffic are configured within the Security & SD-WAN > Site-to-site VPN menu.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.