Meraki

Community

Whitelist incoming IP address

CarlosCoque
Here to help
‎Apr 18 2023 1:23 PM
‎Apr 18 2023 1:23 PM

Whitelist incoming IP address

Hello,

We use an MX-64 Security Gateway as our internet gateway at the office.

We're planning to run a vulnerability scanner from outside and they gave us 2 IP addresses to be added, so tests won't be blocked by any security feature at the firewall level.

I've been researching a way of doing that in our Meraki firewall, but haven't found it yet.

We have another firewall from SonicWall and we did that in the IPS feature.

Thanks,

Carlos

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 18 2023 1:40 PM
‎Apr 18 2023 1:40 PM

I'm not sure if it's possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
DAlleman
Meraki Employee
Meraki Employee
‎Apr 18 2023 2:15 PM
‎Apr 18 2023 2:15 PM

By default the MX is going to block all inbound traffic unless it was initiated from inside, so the scan would be blocked or only scan the public IP of the MX.

Please reference either document below for further explanation:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_...
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

 

0 Kudos
CarlosCoque
Here to help
‎Apr 18 2023 2:45 PM
‎Apr 18 2023 2:45 PM

Hi @DAlleman, thanks for the article.

 

I've read that and apparently, the only way to partially do that is to configure a NAT 1:1, which is not exactly what I'm looking for because I don't have a specific LAN IP address I'd like to use.

 

CarlosCoque_1-1681854331958.png

 

Do you think there is another way to achieve that requirement? (below)

 

Do you think there is anything I can do to achieve this?

CarlosCoque_0-1681854094359.png

 

0 Kudos
DAlleman
Meraki Employee
Meraki Employee
‎Apr 19 2023 9:45 AM
‎Apr 19 2023 9:45 AM

If what you are trying to achieve is an external scan of your environment and you have no NATs configured, then it's only going to scan the MX as that is all that is exposed to the internet.

If you're planning to scan your servers or other resources then you will need to move the scan onto an internal host.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.