Guest VLan can't access public Exchange/ OWA

Brian_R
New here

Guest VLan can't access public Exchange/ OWA

Hey folks, 
 I've seen this come up a few times, but haven't had any luck resolving this.
Here's my issue:
Wireless clients connected to the Guest VLan can't access my on prem Exchange server.
I have the Meraki handing out DHCP addresses. I have public DNS servers for name resolution.

Wireless clients receive the public-facing IP address of the mail server like you'd expect. 
However, the connection fails. I'm not sure what's being blocked here.

In the Firewall & Traffic page I have exceptions for the internal IP address of the mail server on ports 25, 143, 993, 587.
I also have a deny rule to prohibit wireless clients from accessing local LAN. 

No L7 rules are defined.
Are these rules processed in a specific order? I was thinking they were processed top-down.

Brian_R_0-1605651549351.png

 

I appreciate any help ya'll can throw my way!

-Brian

 

 

4 REPLIES 4
UCcert
Kind of a big deal

Hey Brian.  The firewall rules are generally filtered on a top-down basis.

 

However...what if you flip that Deny rule to Allow <wireless clients accessing LAN>?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Bruce
Kind of a big deal

Hi @Brian_R, is the MS Exchange server sitting behind the same MX that the Guests are on, and does it have an internal IP address that is being NATed by the MX to its external IP address? If so then it's quite possible that the traffic flow isn't as you are expecting. I'd start by mapping out the actually traffic flow from the Guest VLAN to the public IP address of the MS Exchange Server

 

It's very possible that your traffic from the Guest VLAN is heading to the internet, then being bounced back to you by your ISP and then being treated as external traffic coping into the MX - which if there are no port mappings is going to fail. But this all depends on where the MS Exchange server is in relation to the Guest VLAN.

 

 

cmr
Kind of a big deal
Kind of a big deal

@Brian_R if you want to do this, I think you'll need to use private DNS, so the traffic doesn't try to go out of the WAN port. 

 

At the moment you have traffic heading out of the WAN only to be sent straight back on the same interface (different IP?), In through to the LAN, to the Exchange server.  The return traffic gets confused as it'll head back to the MX, finds out that the IP address it is looking for is on a different LAN port, wants to head off that way back to the client but as it is a stateful firewall there is no return path that way so gets dropped.

 

If you have private DNS to give the client the internal IP then it can route that way, if you want it to be totally separate, run the public connection on a separate device.

PhilipDAth
Kind of a big deal

Don't forget there are also WiFi Firewall rules.  Any chance you have the "Deny Local LAN" option selected?

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_... 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.