Meraki

Community

Port Forwarding Protection against Internal Network

Eri1
Here to help
yesterday
yesterday

Port Forwarding Protection against Internal Network

Hi all, we noticed that hairpin routing is enabled by default for port forwarding: 1:1 NAT and 1:Many NAT.

We are planning to host a server through port forwarding for public use on a certain remote IP and Meraki does provide a way to achieve this. 

We want to restrict internal staff from accessing or making any changes on the server. But apparently, internal staff (in the same network as the server) is able to utilize that port forwarding to access the server using the public IP. (Firewall rules was able to block direct internal access, not hairpin routing).

Does anyone have any similar experience about this situation or solutions that might achieve this protection?

Thank you for your time.

Labels:
0 Kudos
1 Reply 1
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I'm not sure of the answer on this but will provide some additional information below.

 

Port forwarding and NAT rules take precedence over outbound L3 rules - Solved: Re: port forwarding rule priority - The Meraki Community

 

However as per the following doc, traffic from the internal hosts will be rewritten to communicate directly with the internal server. 

 

Traffic sourced from the LAN of the MX that is destined for the public IP configured in the port forwarding/1:1 NAT/1:Many NAT section will be routed to the private IP address associated with the configured mapping. 

In this process, the MX will accept the packet on the LAN and rewrite the IPv4 header. The rewritten header will be sourced from the MX's IP/MAC, or layer 3 interface in which the destination client resides, while also being destined for the private IP/MAC of the client mapped to the 1:1 NAT.

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX#...

 

 

So I'm not sure whether you can simply create an outbound L3 rule that blocks clients from the server, and that will apply because the hairpin routing re-writes the ipv4 header into the private IP address rather than the public... or whether the outbound L3 rule will still be bypassed as the port forward/DNAT rule is in place.

 

You could enable access to the inbound L3 firewall rules and try to use those instead but I'm not sure whether they will apply to traffic hair-pinned from the LAN.

NAT Exceptions with Manual Inbound Firewall on MX Security Appliances - Cisco Meraki Documentation

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.