deny inbound traffic

FishMan
Comes here often

deny inbound traffic

i did a port forwarding for all smtp port 25 to my internal server, i also need to deny some specific public ip from accessing to my internal email server.

 

looking for your help

8 REPLIES 8
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @FishMan 


This would be configured under your Outbound Firewall rules. Set the destination as the Public IP you want to block and the source as your email server.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
FishMan
Comes here often

Hi UCcert,

 

thanks a lot, will try to do this, but it's about more than 10 public that i want to block would it ok

DarrenOC
Kind of a big deal
Kind of a big deal

That shouldn’t be a problem @FishMan 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
KarstenI
Kind of a big deal
Kind of a big deal

@DarrenOCI would not expect this to work. When the connection is coming from the outside it is inspected statefully and the outbound rules are not applied any more to this traffic.

ww
Kind of a big deal
Kind of a big deal

Group policy fw rules are stateless. In case the statefull mx fw rules does not work you can try those

KarstenI
Kind of a big deal
Kind of a big deal

Just tried it: The Group-Policy approach works!

FishMan
Comes here often

can you share how to do this 

KarstenI
Kind of a big deal
Kind of a big deal

You have to:

  • Create a new Group-Policy
    • Deny all traffic to the list of unwanted servers
    • Allow the rest
  • Apply this Group-Policy to the Mail-server
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels