MX100 L3 rule not working

SOLVED
Scother
Here to help

MX100 L3 rule not working

hi,

can anyone help me to figure out why the below rule is not working?

 

rule.PNG

below is my scenario. from host x.x.x.y i can still ping host x.x.z.z

sceario.PNG

1 ACCEPTED SOLUTION

i also try Deny ICMP but still not working. what works for is create a group policy and define the L3 rules in the group policy then apply the group policy to the x.x.z.0 subnet. the rules that i define in the group policy is the same rules i define in the firewall configuration, but in firewall configuration those rules are not working.

View solution in original post

12 REPLIES 12
MerakiDave
Meraki Employee
Meraki Employee

Have you run packet captures on the MX, on both WAN and LAN sides, to confirm what packets are ingressing/egressing the MX?  Assuming the MX is in NAT mode, and not VPN/Passthrough mode in which case it's just a bump in the wire?  And just for troubleshooting, instead of ANY protocol, try specifying ICMP to see if that changes the behavior and if so, open a case to investigate.  Also, depending on FW version you might be able to toggle on inbound FW logging on the firewall config page.

BrandonS
Kind of a big deal

When the rule is applied it won't affect current network flows immediately.  You might just want to reboot the clients or refresh their network settings and test again.

- Ex community all-star (⌐⊙_⊙)
Scother
Here to help

both hosts are connected to MX LAN ports and the VLANs for the hosts are defined locally in the MX.

BrandonS
Kind of a big deal

That shouldn't matter.  How about adding the reverse rule too? 

- Ex community all-star (⌐⊙_⊙)
BrandonS
Kind of a big deal

And make sure to reboot or reset network settings when testing. If you are just running ping and expecting it to stop within moments of applying the changes it won't.
- Ex community all-star (⌐⊙_⊙)

reset network setting on both hosts, test again, rule still not working

add reverse rule but still not working

BrandonS
Kind of a big deal

Well, back to MerakiDave's suggestion, I guess..  Look at a LAN side packet capture and see what is happening.  If it is not right, call support and show them.

- Ex community all-star (⌐⊙_⊙)
PhilipDAth
Kind of a big deal
Kind of a big deal

Any chance their is a permit rule above this that might be allowing it?

PhilipDAth
Kind of a big deal
Kind of a big deal

There are no hits on your rule.  Double check for any typo's in the IP addresses, and for any permit rules above the deny which might be permitting the traffic.

Adam
Kind of a big deal

Agreed that x.x.z.z should be source and the other as destination.  Also make sure the computers you are testing from are not whitelisted.  Lastly see if you can test something other than ping if it has any other services.  And for testing's sake try setting the Deny Any to Deny ICMP.  For some reason, I seem to remember that 'Any' possibly doesn't include ICMP but I could be remembering that incorrectly. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

i also try Deny ICMP but still not working. what works for is create a group policy and define the L3 rules in the group policy then apply the group policy to the x.x.z.0 subnet. the rules that i define in the group policy is the same rules i define in the firewall configuration, but in firewall configuration those rules are not working.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels