Meraki Firewall allowing non-specified ports

EtcSlc
Here to help

Meraki Firewall allowing non-specified ports

We have a Meraki MX100 firewall that was set up by a consulting firm.  From what I can tell, the firewall is only configured to NAT certain ports through to our servers; however, from outside, I am able to RDP in ANY server that there is a 1:1 NAT rule for, even when none of the rules allow port 3389 through the firewall from outside.  In most cases, only ports like 443 and 25 are set in the rules.  I haven't gone so far as to test access to ports other than 3389 but even still, why would I be able to connect from outside if the ports are not allowed through in the configuration?

9 Replies 9
Adam
Kind of a big deal

If you go to Security Appliance>Firewall.  Then scroll down to the 1:1 NAT section and find the NAT for RDP.  You should see something like this if it has any restrictions configured. 

Capture.PNG

 

Conceptually the MX100 is the firewall so if the NAT is setup here then it will dictate any restrictions/rules based on those created. 

 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
EtcSlc
Here to help

That's the problem.  NONE of the 1:1 NAT entries include port 3389.  In fact, now that I've tested more, I can get to ANY port on the servers from outside, even when they are not in the list of allowed ports.  For example, I have ONLY ports 80, 443 and 25 allowed to my Exchange server.  I can RDP into it.  I have ONLY port 443 allowed to my SharePoint server, and I can get to the central admin site on port 11111 and RDP into it from outside.

 

Screen Shot 03-26-18 at 05.48 PM.PNGScreen Shot 03-26-18 at 05.50 PM.PNG

Adam
Kind of a big deal

That is very strange.  My understanding of those rules is that they are basically a whitelist.  Things not specified there are denied.  I've tested this in my environment and it seemed to work that way.  May be worth doing a little troubleshooting with support to verify.  If you have a maintenance window or something less critical you may want to try removing one of the NAT rules completely to see if you can still access it after the rule is gone. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
EtcSlc
Here to help

I did move two servers that don't require a 1:1 NAT to 1:Many and they appear to actually be secure now from outside, but I can't do that for all the services.

My understanding of the statement at the top of the Firewall page

"Inbound traffic will be restricted to the services and forwarding rules configured below"

is what you said... anything not specifically allowed would be blocked.  It's as if there's some Allow Any-Any rule somewhere in the config but not exposed to the web interface.

PhilipDAth
Kind of a big deal
Kind of a big deal

@EtcSlc what firmware version are you running?

EtcSlc
Here to help

Current Firmware Version: MX 15.4
EtcSlc
Here to help

Just some additional information...

 

For a server that I have a 1:1 NAT for, if I specify port 3389 TCP and UDP but restrict it to a single public IP, I can STILL RDP into that server from other public IPs, not just the one I specified.

 

If I add a 1:Many rule for a system that already has a 1:1 NAT rule and redirect port 3389 to an obscure port, I can no longer RDP into the server; however, that tells me I'd need to redirect all ports to obscure IPs and ports in order to adequately protect that system and maintain the 1:1 NAT.

 

It seems so long as a system has a 1:1 NAT rule AT ALL, then all ports are allowed through to that system, regardless of the ports specified. 

 

I hope this is just a misconfiguration or misunderstanding and not a massive security issue.

PhilipDAth
Kind of a big deal
Kind of a big deal

You really are running the Beta code.  I wouldn't be surprised if this is broken in such new code.

EtcSlc
Here to help

Well that's just fantastic!  Thank you!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels