Meraki

Community

Port Forwarding Issue with Internal LAN

Eri1
Here to help
Friday
Friday

Port Forwarding Issue with Internal LAN

Hi all, we noticed that port forwarding NAT does not have any restriction on internal LAN and we want to restrict it. We tested a similar routing to a hairpin routing and found traffic got its header rewritten to be sourced from the MX's IP/MAC, or layer 3 interface in which the destination client resides. Allowed remote IP restriction will not work as it is coming from internal LAN.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

For example, we have Internal LAN of 192.168.2.0/24 and MX public IP of 12.34.56.78. Port forwarding was set up to forward traffic destined for the WAN IP of the MX to some internal IP and allowed it to only 1 remote IP.

Does Meraki has any security feature to tackle this vulnerability?


Labels:
0 Kudos
6 Replies 6
Eri1
Here to help
Friday
Friday

Just to add on this, as the IPV4 header rewritten to be sourced from the MX's IP/MAC, or layer 3 interface in which the destination client resides, it will bypass any firewall rules as we can't add MX's public IP as the src.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Friday
Friday

This is working as designed, and it is not considered a vulnerability.

 

1:1 NAT mapping allows any host on any internal VLAN to access the mapped address.

 

You might be able to restricy this by applying a group policy to the VLAN of the MX, and applyinging firewall rules in the group policy to prevent access.

0 Kudos
In response to PhilipDAth
Eri1
Here to help
Friday
Friday

Hi Philip, just to confirmn on the processin order between firewall rules and NAT mapping. Which will the traffic be subjected to first?

0 Kudos
In response to Eri1
PhilipDAth
Kind of a big deal
Kind of a big deal
Sunday
Sunday

I can't find any documentation on that and it is not something I have tested. This is the closest.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

0 Kudos
In response to PhilipDAth
Eri1
Here to help
Sunday
Sunday

Hi Philip, no worries, I tested it both firewall and group policy and it did not work.

From that, the traffic was subjected to NAT first, got its source IP rewritten and bypass firewall rules.

Eri1
Here to help
Monday
Monday

Hi, just an update did a test with a technician, and confirmed that traffic like hairpin routing (using port forwarding) did bypass layer 3 restriction, and currently I believe Meraki did not have any feature to restrict this for now (correct me if I am wrong). Maybe if there is a way to disable hairpin or enable no-nat for certain traffic like this, it will help this vulnerability.

So the alterative solution to technician had provided, was to use ACL which block and stop the traffic on the switch from reaching the router. It is fine for now, but it is not scalable as we need to create a rule for each VLAN, and each port. (If ive got 3 VLANs to restrict from using 3 port forwarding rules, I have to create 9 rules)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.