DMZ with layer 3 routing in place. Deny all blocking access from external.

NickWatson
Comes here often

DMZ with layer 3 routing in place. Deny all blocking access from external.

We are trying to not move our Routing and DHCP to the firewall and in keeping it on the switch level but in doing so, we need to free up ACLs for some additional functionality. So, what we have is our DMZ VLAN with allow / denys for all our internal VLANs and NAT with allowable IPs from the Cloudflare IPs on ports 80/443. But when I add a deny all, it breaks external access to the web servers and I cannot determine why. Do the external allowble IPs in NAT have to be added as well or?

 

FW / Core stack VLANs ----- ACL allows in place for VLAN 125 

9300 stack feeding servers-----ACL allows in place for VLAN 10

VMWARE----ACL allows in place for VLAN 4

Public IPs------ACL allows in place 

 

FW                         CORE                     9300            VMWARE           WEB SUBNET       

VLAN 125               VLAN 125              VLAN 10       VLAN 4

 

 

 

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

You need ACLs allowing HTTP, HTTP, and DNS ports.
 
One question, is this ACL being created on the Switch?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NickWatson
Comes here often

Allows include that and are on the switch level due to routing and dhcp being at that level. I would rather do all controls at the Firewall but with the routing and dhcp being done on the core stack and static routing in place on the FW I have not been able to to that. 

alemabrahao
Kind of a big deal
Kind of a big deal

Can you share a screenshot of the ACL configuration? You can omit the IPs if it is more comfortable for you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NickWatson
Comes here often

I have 122 ACLs in place but sending the last 30 or so for review. Please let me know if you need them all. This is all working as expected from internal VLANs the only issue is from external and only when I do a deny all at the end. Just curious of any missing logic as it applies to that. I think the DNS might be one of the issues, as we have Umbrella, but the IPs are not in the range at present for an allow.

Capture.JPG

alemabrahao
Kind of a big deal
Kind of a big deal

Can you ping external IPs like Google? If so, DNS could be the problem.
 
Try allowing DNS in your rule.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NickWatson
Comes here often

Tested again this morning with an expanded subnet in one of the server ranges and still have same issue. I did verify I can ping the web server by IP and name from a local subnet but cannot access the IIS content, can remote to the server (from a server subnet) and can ping out from the web servers to 8.8.8.8 and google.com BUT I cannot access them from a browser on the server. 

 

Adding the allows/denies in place on the VLANs. I have to troubleshoot in the early AM so the deny alls are not in place at this time. With what I have below, it works. When I add the denies, it breaks. 

 

Capture.JPG

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels