Meraki

Community

Meraki Firewall allowing non-specified ports

EtcSlc
Here to help
‎Mar 26 2018 1:45 PM
‎Mar 26 2018 1:45 PM

Meraki Firewall allowing non-specified ports

We have a Meraki MX100 firewall that was set up by a consulting firm.  From what I can tell, the firewall is only configured to NAT certain ports through to our servers; however, from outside, I am able to RDP in ANY server that there is a 1:1 NAT rule for, even when none of the rules allow port 3389 through the firewall from outside.  In most cases, only ports like 443 and 25 are set in the rules.  I haven't gone so far as to test access to ports other than 3389 but even still, why would I be able to connect from outside if the ports are not allowed through in the configuration?

0 Kudos
9 Replies 9
Adam
Kind of a big deal
‎Mar 26 2018 2:42 PM
‎Mar 26 2018 2:42 PM

If you go to Security Appliance>Firewall.  Then scroll down to the 1:1 NAT section and find the NAT for RDP.  You should see something like this if it has any restrictions configured. 

Capture.PNG

 

Conceptually the MX100 is the firewall so if the NAT is setup here then it will dictate any restrictions/rules based on those created. 

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
EtcSlc
Here to help
‎Mar 26 2018 2:51 PM
‎Mar 26 2018 2:51 PM

That's the problem.  NONE of the 1:1 NAT entries include port 3389.  In fact, now that I've tested more, I can get to ANY port on the servers from outside, even when they are not in the list of allowed ports.  For example, I have ONLY ports 80, 443 and 25 allowed to my Exchange server.  I can RDP into it.  I have ONLY port 443 allowed to my SharePoint server, and I can get to the central admin site on port 11111 and RDP into it from outside.

 

Screen Shot 03-26-18 at 05.48 PM.PNGScreen Shot 03-26-18 at 05.50 PM.PNG

0 Kudos
In response to EtcSlc
Adam
Kind of a big deal
‎Mar 26 2018 3:00 PM
‎Mar 26 2018 3:00 PM

That is very strange.  My understanding of those rules is that they are basically a whitelist.  Things not specified there are denied.  I've tested this in my environment and it seemed to work that way.  May be worth doing a little troubleshooting with support to verify.  If you have a maintenance window or something less critical you may want to try removing one of the NAT rules completely to see if you can still access it after the rule is gone. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
EtcSlc
Here to help
‎Mar 26 2018 3:07 PM
‎Mar 26 2018 3:07 PM

I did move two servers that don't require a 1:1 NAT to 1:Many and they appear to actually be secure now from outside, but I can't do that for all the services.

My understanding of the statement at the top of the Firewall page

"Inbound traffic will be restricted to the services and forwarding rules configured below"

is what you said... anything not specifically allowed would be blocked.  It's as if there's some Allow Any-Any rule somewhere in the config but not exposed to the web interface.

In response to EtcSlc
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 26 2018 10:37 PM
‎Mar 26 2018 10:37 PM

@EtcSlc what firmware version are you running?

0 Kudos
In response to PhilipDAth
EtcSlc
Here to help
‎Mar 27 2018 6:38 AM
‎Mar 27 2018 6:38 AM

Current Firmware Version: MX 15.4
0 Kudos
In response to EtcSlc
EtcSlc
Here to help
‎Mar 27 2018 7:03 AM
‎Mar 27 2018 7:03 AM

Just some additional information...

 

For a server that I have a 1:1 NAT for, if I specify port 3389 TCP and UDP but restrict it to a single public IP, I can STILL RDP into that server from other public IPs, not just the one I specified.

 

If I add a 1:Many rule for a system that already has a 1:1 NAT rule and redirect port 3389 to an obscure port, I can no longer RDP into the server; however, that tells me I'd need to redirect all ports to obscure IPs and ports in order to adequately protect that system and maintain the 1:1 NAT.

 

It seems so long as a system has a 1:1 NAT rule AT ALL, then all ports are allowed through to that system, regardless of the ports specified. 

 

I hope this is just a misconfiguration or misunderstanding and not a massive security issue.

0 Kudos
In response to EtcSlc
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2018 7:22 AM
‎Mar 27 2018 7:22 AM

You really are running the Beta code.  I wouldn't be surprised if this is broken in such new code.

0 Kudos
In response to PhilipDAth
EtcSlc
Here to help
‎Mar 27 2018 7:42 AM
‎Mar 27 2018 7:42 AM

Well that's just fantastic!  Thank you!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.