Meraki

NickWatson · ‎Oct 10 2023

We are trying to not move our Routing and DHCP to the firewall and in keeping it on the switch level but in doing so, we need to free up ACLs for some additional functionality. So, what we have is our DMZ VLAN with allow / denys for all our internal VLANs and NAT with allowable IPs from the Cloudflare IPs on ports 80/443. But when I add a deny all, it breaks external access to the web servers and I cannot determine why. Do the external allowble IPs in NAT have to be added as well or?

FW / Core stack VLANs ----- ACL allows in place for VLAN 125

9300 stack feeding servers-----ACL allows in place for VLAN 10

VMWARE----ACL allows in place for VLAN 4

Public IPs------ACL allows in place

FW CORE 9300 VMWARE WEB SUBNET

VLAN 125 VLAN 125 VLAN 10 VLAN 4

alemabrahao · ‎Oct 10 2023

You need ACLs allowing HTTP, HTTP, and DNS ports.

One question, is this ACL being created on the Switch?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

NickWatson · ‎Oct 10 2023

Allows include that and are on the switch level due to routing and dhcp being at that level. I would rather do all controls at the Firewall but with the routing and dhcp being done on the core stack and static routing in place on the FW I have not been able to to that.

alemabrahao · ‎Oct 10 2023

Can you share a screenshot of the ACL configuration? You can omit the IPs if it is more comfortable for you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

NickWatson · ‎Oct 10 2023

I have 122 ACLs in place but sending the last 30 or so for review. Please let me know if you need them all. This is all working as expected from internal VLANs the only issue is from external and only when I do a deny all at the end. Just curious of any missing logic as it applies to that. I think the DNS might be one of the issues, as we have Umbrella, but the IPs are not in the range at present for an allow.

alemabrahao · ‎Oct 10 2023

Can you ping external IPs like Google? If so, DNS could be the problem.

Try allowing DNS in your rule.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

NickWatson · ‎Oct 11 2023

Tested again this morning with an expanded subnet in one of the server ranges and still have same issue. I did verify I can ping the web server by IP and name from a local subnet but cannot access the IIS content, can remote to the server (from a server subnet) and can ping out from the web servers to 8.8.8.8 and google.com BUT I cannot access them from a browser on the server.

Adding the allows/denies in place on the VLANs. I have to troubleshoot in the early AM so the deny alls are not in place at this time. With what I have below, it works. When I add the denies, it breaks.

Meraki

Community

DMZ with layer 3 routing in place. Deny all blocking access from external.

DMZ with layer 3 routing in place. Deny all blocking access from external.