Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki MX 75 and inbound traffic filtering

gregarican
Here to help
‎Feb 29 2024 1:09 PM
‎Feb 29 2024 1:09 PM

Meraki MX 75 and inbound traffic filtering

So our corporate network has a remote access service as a published 1:1 NAT host through our MX 75. Due to the nature of remote access, I can't just whitelist our corporate LAN's for inbound access. People work remotely, that's the idea. 🙂

 

Rather than play whack-a-mole by blocking specific IP subnets due to their numerous failed intrusion attempts, I was wondering if there's some functionality for screening inbound access. Cisco has their Umbrella and Talos acquired product families. Similar to their acquisition of Meraki. So logically I was wondering for the MX line if there is a way to permit inbound access based on the far end's IP reputation score or something? I know for outbound access that Umbrella can come into play, which I leverage. What about inbound?

Labels:
0 Kudos
Subscribe
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 1:12 PM
‎Feb 29 2024 1:12 PM

I can't think of any way to achieve this if a third-party client VPN solution is in place.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 1:14 PM
‎Feb 29 2024 1:14 PM

Meraki and Umbrella do have "Cisco Secure Connect", which is a cloud-hosted client VPN service, and traffic is brought back to your branches via AutoVPN.  In this case, Umbrella is protecting the VPN head end, as it is in their cloud.

https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now_Remote_Access

 

Subscribe
In response to PhilipDAth
gregarican
Here to help
‎Feb 29 2024 1:24 PM
‎Feb 29 2024 1:24 PM

Thanks for your reply! When I'm referring to remote access, currently we aren't utilizing an inbound VPN layer for this. Basically the users are accessing a Citrix login page. Once they authenticate then they can launch their published apps. I've looked on the Citrix end and cannot ascertain how I can help validate the inbound traffic. I will look into this Cisco Secure Connect to see if it would be a good fit. But even then I would like to block attempts at accessing it via some sort of IP reputation lookup. If Umbrella can emulate that then we might have a good fit!

0 Kudos
Subscribe
In response to gregarican
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 1:31 PM
‎Feb 29 2024 1:31 PM

I have not done this - but I believe SecureConnect can also provide a "zero trust" interface to Citrix.  You don't use a NAT pinhole anymore.

 

Users browse to a portal, and all the apps they can access are in it.  They click on Citrix, Umbrella screens everything, does MFA, etc, and then connects the user to the Citrix server over AutoVPN.

Umbrella is acting like a WAF in this case providing all the protection.

https://support.umbrella.com/hc/en-us/articles/230562487-Terminal-Services-Citrix-and-Umbrella-Integ... 

0 Kudos
Subscribe
In response to gregarican
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 1:33 PM
‎Feb 29 2024 1:33 PM

I even found a Citrix document on this option. However, this looks like it is doing it "light" by only integrating the authentication.  But something you can Google on more.

https://docs.citrix.com/en-us/citrix-secure-private-access/downloads/cisco-umbrella.pdf 

Subscribe
In response to PhilipDAth
gregarican
Here to help
‎Mar 1 2024 9:23 AM
‎Mar 1 2024 9:23 AM

Thanks again for the leads. I think for now I might just employ a rule on our firewall that allows only corporate Wi-Fi traffic into the Citrix host. Anyone who wants to work remotely outside of that can just e-mail me to whitelist them. What I'm not used to compared to the Cisco ASA is that any firewall NAT rule changes can't be done on the fly during production hours. Since all traffic that traverses the firewall is briefly interrupted. Our SIP phone registrations, active SIP calls, client/server traffic, etc. So have to do it off-hours. That's kinda a pain but it is what it is I guess.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.