Meraki

Community

Guest VLan can't access public Exchange/ OWA

Brian_R
New here
‎Nov 17 2020 2:20 PM
‎Nov 17 2020 2:20 PM

Guest VLan can't access public Exchange/ OWA

Hey folks, 
 I've seen this come up a few times, but haven't had any luck resolving this.
Here's my issue:
Wireless clients connected to the Guest VLan can't access my on prem Exchange server.
I have the Meraki handing out DHCP addresses. I have public DNS servers for name resolution.

Wireless clients receive the public-facing IP address of the mail server like you'd expect. 
However, the connection fails. I'm not sure what's being blocked here.

In the Firewall & Traffic page I have exceptions for the internal IP address of the mail server on ports 25, 143, 993, 587.
I also have a deny rule to prohibit wireless clients from accessing local LAN. 

No L7 rules are defined.
Are these rules processed in a specific order? I was thinking they were processed top-down.

Brian_R_0-1605651549351.png

 

I appreciate any help ya'll can throw my way!

-Brian

 

 

4 Replies 4
DarrenOC
Kind of a big deal
Kind of a big deal
‎Nov 17 2020 2:51 PM
‎Nov 17 2020 2:51 PM

Hey Brian.  The firewall rules are generally filtered on a top-down basis.

 

However...what if you flip that Deny rule to Allow <wireless clients accessing LAN>?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Bruce
Kind of a big deal
‎Nov 17 2020 2:58 PM
‎Nov 17 2020 2:58 PM

Hi @Brian_R, is the MS Exchange server sitting behind the same MX that the Guests are on, and does it have an internal IP address that is being NATed by the MX to its external IP address? If so then it's quite possible that the traffic flow isn't as you are expecting. I'd start by mapping out the actually traffic flow from the Guest VLAN to the public IP address of the MS Exchange Server

 

It's very possible that your traffic from the Guest VLAN is heading to the internet, then being bounced back to you by your ISP and then being treated as external traffic coping into the MX - which if there are no port mappings is going to fail. But this all depends on where the MS Exchange server is in relation to the Guest VLAN.

 

 

0 Kudos
In response to Bruce
cmr
Kind of a big deal
Kind of a big deal
‎Nov 17 2020 3:27 PM
‎Nov 17 2020 3:27 PM

@Brian_R if you want to do this, I think you'll need to use private DNS, so the traffic doesn't try to go out of the WAN port. 

 

At the moment you have traffic heading out of the WAN only to be sent straight back on the same interface (different IP?), In through to the LAN, to the Exchange server.  The return traffic gets confused as it'll head back to the MX, finds out that the IP address it is looking for is on a different LAN port, wants to head off that way back to the client but as it is a stateful firewall there is no return path that way so gets dropped.

 

If you have private DNS to give the client the internal IP then it can route that way, if you want it to be totally separate, run the public connection on a separate device.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 18 2020 12:42 PM
‎Nov 18 2020 12:42 PM

Don't forget there are also WiFi Firewall rules.  Any chance you have the "Deny Local LAN" option selected?

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_... 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.