Where to configure "inbound" filter on the MX device

Solved
diablo24
Building a reputation

Where to configure "inbound" filter on the MX device

Hi,

 

I notice there's an API for getting inbound filters on an MX device:

 

 

GET 'https://api.meraki.com/api/v0/networks/{networkId}/appliance/firewall/inboundFirewallRules'

Successful HTTP Status: 200

{
  "rules": [
    {
      "comment": "Allow TCP traffic to subnet with HTTP servers.",
      "policy": "allow",
      "protocol": "tcp",
      "destPort": 443,
      "destCidr": "192.168.1.0/24",
      "srcPort": "Any",
      "srcCidr": "Any",
      "syslogEnabled": false
    }
  ],
  "syslogDefaultRule": true
}

 

 

 

However, I can't find where on the dashboard to configure this. There's a Note on the firewall page that says:

Inbound rules
Inbound traffic will be restricted to the services and forwarding rules configured below.

 

But the forwarding rules does not look like the output above. Is there another section where this is configured?

 

Thanks,

-Jerome

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

>That's the reason why I think I can't do NO-NAT.

 

And part of the reason you can not edit inbound firewall rules.

View solution in original post

11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm a little hazy on this, but I think when you configure the MX for NO-NAT mode (aka it becomes just a router) it enables the inbound rules section.  Or it might be you need to open a support ticket to get it turned on.

 

I'm pretty sure it is related to using NO-NAT.

diablo24
Building a reputation

Screen Shot 2020-04-13 at 1.05.31 PM.png

I don't have any NAT configured. I guess I have to open up a support case.

PhilipDAth
Kind of a big deal
Kind of a big deal

By default, you will have outbound PAT configured.

 

Check out from this post down:

https://community.meraki.com/t5/Security-SD-WAN/MX-in-Routed-Mode-with-No-Nat/m-p/44061/highlight/tr... 

diablo24
Building a reputation

Maybe that's the problem. I'm running version 14.40.

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think I have articulated this well.

 

You will not get the ability to use the inbound firewall rules unless you have NO-NAT configured and enabled.

 

Otherwise in your configuration - all inbound initiated traffic is blocked unless you have created a NAT rule to allow that traffic in.

diablo24
Building a reputation

@PhilipDAth 

Sorry that might be my fault. In the link you provided above it says:

"NO-NAT is available in the 15.x code, which you can deploy to your device right now via the dashboard."

 

That's the reason why I think I can't do NO-NAT.

PhilipDAth
Kind of a big deal
Kind of a big deal

>That's the reason why I think I can't do NO-NAT.

 

And part of the reason you can not edit inbound firewall rules.

munaf
Comes here often

how can we enable inbound rules on meraki mx64 device

MerakiDave
Meraki Employee
Meraki Employee

@diablo24 yes you can run No-NAT in MX15 but if all you need is to configure inbound firewalling in the same fasion as configuring the outbound rules, open a support ticket and they can enable inbound FW rules for you, it's not visible in the Dashboard UI by default (although I have requested that it should be).  

diablo24
Building a reputation

Thanks @MerakiDave I'll do that.

WWWolf
Here to help

You should also be able to configure Layer 7 rules to block inbound connections from a "remote IP range" (or single /32 IP).  Depending on your needs, it should be just as effective as a Layer 3 rule.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels