Meraki

Community

About HOD-DBQ

Re: Can these protocols/ciphers/attacks be blocked by MX65?

by in Security & SD-WAN
‎Feb 7 2018 9:47 AM
‎Feb 7 2018 9:47 AM
The open ports method was kind of grandfathered in when we switched routers. We've always been a bit concerned about the security. We've used the VPN Clients for other access and now we will be using it completely and as you say get rid of the port forwards. I've already tested it and it works. And of course, this will also eliminate any Scan failures we would have with PCI which is what got me started in the first place. Thanks for your help. ... View more

Can these protocols/ciphers/attacks be blocked by MX65?

by in Security & SD-WAN
‎Feb 5 2018 1:00 PM
‎Feb 5 2018 1:00 PM
PCI (Payment Card Industry) scans our network through the MX65 to check for vulnerabilities. The scan itself is intended to check the web server that is used for accepting credit card payments and identify any vulnerabilities. We however do not have a web server and of course do not accept credit card payments in that way. We have a card reader that sits in the office and is connected via a USB port to a local PC. So the purpose of the scan is really meaningless for our setup. The scans fail because we have Ports opened on the MX65 Firewall settings to allow for Remote Desktop Connections. None of these PC's ever have the card reader attached to it so that is another reason why the scans are meaningless. The scan is able to connect through these ports and establish connections using methods that are now considered security risks. What I'm trying to figure out is if I can stop these connections by disabling these at the MX65? Then our scan would not have any failures. Here are the 4 that I want to focus on: 1. TLS 1.0 2. CVE-2016-2183 (SWEET32 attack) 3. CVE-2013-2566 (RC4 ciphers) 4. CVE-2016-0800 (SSLv2 protocol) Can any of these be blocked at the Meraki MX65 router so they won't show as failures?   Thank you. Dave   ... View more

Re: For MX65: Only allow SMTP traffic from Barracuda IP Range

by in Security & SD-WAN
‎Oct 11 2017 5:12 PM
‎Oct 11 2017 5:12 PM
Phillip, your method seems to be working. Meraki got back to me with a different way to do it but that would have required setting 3 rules as opposed to your method. So I went with yours. I already had the SMTP Firewall config so all I needed to do was add the IP ranges. I had someone bypass the Barracuda IP's and send directly to our public IP and it was rejected which is what I wanted. The rest of email is working as before. Thanks so much for your insight. I'm going to investigate the other method as well just to see if there is any difference and I will update the post. Thanks, again...Dave ... View more

For MX65: Only allow SMTP traffic from Barracuda IP Range

by in Security & SD-WAN
‎Oct 11 2017 7:54 AM
‎Oct 11 2017 7:54 AM
I created a regular case with Cisco/Meraki for this. In 2 comments, I explained exactly what I wanted. Each time the response back clearly showed they didn't understand what seems fairly straight forward. So I'm hoping the forum can help me. We have an On-Premise Exchange server. In the last month we switched our eMail security from local to Barracuda Cloud Services. The Exchange server is still On-Premise. Everything is working as expected. The way BCS works is our MX records point to Barracuda instead of to us. Now all Incoming email goes through BCS first. Again, that is all working fine. But Spammers can ignore our MX records and send directly to our IP address and thus bypass Barracuda. To stop this, Barracuda recommends locking down our External Firewall by only allowing SMTP traffic to come from the Barracuda IP Range. Here is exactly what they say: It is recommended to lock down your External Firewall to only allow SMTP Traffic from Barracuda IPs.     209.222.80.0/21 (255.255.248.0)     64.235.144.0/20 (255.255.240.0) This will stop Spammers from hitting your Network Directly and all SMTP Must come from us to be valid.   This is what I explained when I opened my case with Meraki/Cisco support. I think I need to use the Traffic Shaping-Flow Preferences-Internet Traffic section to make this happen. Can anyone tell me exactly what I need to enter and where? On the MX65, if I'm thinking of the correct section, my fields are Protocol, Source, Src port, Destination, Dst Port If something is not clear let me know and I'll be glad to update the post. Thanks...Dave  ... View more
© 2025 Cisco Systems, Inc.