Meraki

Community

About JWvE

Re: Use FQDNs or policy objects in port forwarding rules

by in Security & SD-WAN
‎May 3 2022 4:14 AM
2 Kudos
‎May 3 2022 4:14 AM
2 Kudos
I mostly understand what you are saying about the move from on prem to the cloud. We provide however services to our clients that moved their servers from on prem to our datacenter and now the move is from our private cloud to the public cloud. We have less racks in our datacenter than we had before, but we still host management portals, knowledgebases, terminal servers, databases. legacy applications for hotel chains, etc. The people that need access to these servers are not necessarily our own users, we do not manage the devices that they are using, we cannot easily authenticate their acccounts with an identity provider for SAML, MFA or some kind of SSO, etc. Using client VPN is opening up a whole can of worms at least before Meraki started to support Cisco AnyConnect. Site to site VPN is sometimes an option, but setting up tunnels between firewalls from different manufacturers where we manage only one tunnel endpoint is not very much fun either. We can certainly engineer our way out of this by using WebRTC, ZeroTier (great concept!) or Cisco AnyConnect, etc. which is obviously better. I mean, in the end this IP whitelisting thing is based on the wrong assumption that an IP address tells you something about an identity that is authorised to access the application, but one should not use an IP address as a means of authentication. But sometimes it helps to have an additional layer of security especially for ugly things like web interfaces for CCTV systems, etc. And than you would really need to use FQDNs of policy objects to prevent you from changing the port forwarding rule everytime an IP address changes.  What I do not understand is what you are saying about the impossibility to use FQDNs because of the way the engine works or that an internal client is supposed to make a DNS query first. Using policy objects or using FQDNs is the same thing if the policy object is a FQDN. And for outbound rules the policy objects are already supported, so the MX already is doing DNS queries and it needs to repeat these queries every now and then.  Let me give you an example of what I would like to build in case I was not clear. We have a CCTV system and only security needs access to it from home their homes. So I create two policy objects, securityperson01.company.com and securityperson02.company.com and I put these two policy objects in a policy object group. And I create a port forwarding rule with the policy object group as 'allowed remote IPs'.  I tell security person 01 and security person 02 to use something like DynDNS and give me their dynamic FQDNs. I create two CNAME records in the domain company.com where securitperson01.company.com resolves to the CNAME of the dynamic FQDN of security person 01 and I do the same for the other one. Now everytime the IP address changes of one of the members of the security team they are still able to access the CCTV system. And when one of the security team members leaves the company, I delete his or her DNS record.  So I create a  ... View more

Use FQDNs or policy objects in port forwarding rules

by in Security & SD-WAN
‎May 2 2022 8:56 AM
‎May 2 2022 8:56 AM
Hi, we are looking for a way to use policy objects and FQDNs in our port forwarding rules. Is there any news on when this will be supported? In an ever more dynamic world where static IPv4 addresses are no longer the norm and IPv6 adoption is increasing, listing a number of IP addresses is not working any more. It needs to be more intelligent than that. I read somewhere about a beta feature: custom layer 3 inbound firewall rules. Will that cover what we would like.    And somewhere else I encountered a discussion where someone suggested that you could use policy objects in port forwarding rules when you add those through the API. I am curious to know if that would work and how that will look in the Dashboard.   Please share your thoughts,   JW ... View more

Re: Tell Cisco About Your ZTNA Needs!

by in Security & SD-WAN
‎Jan 19 2022 7:58 AM
2 Kudos
‎Jan 19 2022 7:58 AM
2 Kudos
Hi BlakeRichardson, I agree with you, but layer 2 has no real meaning when people work from everywhere (home, train, coffeeshop, hotel, girlfriend) in a multicloud environment. And layer 3, what kind of traffic will be allowed (protocol, IP address, port) from what source IP to what destination IP, does not tell me anything about who the actual person is that is generating this traffic. In an era where (mobile) providers use carrier grade NAT and where both source and destination IP addresses in general are subject to change everyday I am not really interested in IP addresses anymore as a security mechanism. I want to know who that person is. ... View more

Re: Exported subnets - VPN

by in Security & SD-WAN
‎Aug 21 2019 4:44 AM
2 Kudos
‎Aug 21 2019 4:44 AM
2 Kudos
What it basically does is that it tells the other MX appliances in the AutoVPN that they can reach that particular subnet through this MX appliance.  ... View more

Re: Update your avatar, win Meraki swag!

by in Community Announcements
‎Jun 25 2019 2:05 AM
2 Kudos
‎Jun 25 2019 2:05 AM
2 Kudos
I have a new avatar! It is an interpreters badge from WW1. ... View more

Re: Newbie question on routing

by in Security & SD-WAN
‎Jun 20 2018 4:16 AM
1 Kudo
‎Jun 20 2018 4:16 AM
1 Kudo
Yes, I am awfully sorry, this is incredibly silly. I did of course check the Windows firewall. I checked it, however, when I was connected to the office LAN, not after I patched my PC at the MX64. My PC thinks this is a new network and decides to block ICMP as the default setting. I am really sorry to have bothered you, but also very thankful. ... View more

Newbie question on routing

by in Security & SD-WAN
‎Jun 19 2018 7:08 AM
‎Jun 19 2018 7:08 AM
Hi, we have two sites linked through AutoVPN. Site A: 192.168.148.0/24, the MX64 has 192.168.148.254. Site B: 192.168.71.0/24, the MX64 has 192.168.71.1. My PC is in site B and has 192.168.71.2. From my PC in site B I can ping any device in site A. From any device in site A I can ping the MX64 in site B, but I cannot ping my PC. From the MX64 in site B however I can ping my PC.   I don't really understand how that is possible. I must be overlooking something, I am very new to Meraki.    The MX64 in site B is configured in NAT mode.  The MX64 in site A is in passthrough mode.   Devices in site A know about the route to the IP subnet in site through a static route on the default gateway in site A.    From a host in site A:   Tracert 192.168.71.1   Tracing route to 192.168.71.1 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.148.1 2 <1 ms <1 ms <1 ms 192.168.148.254 3 8 ms 6 ms 6 ms 192.168.71.1 Trace complete.   Tracert 192.168.71.2   Tracing route to 192.168.71.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.148.1 2 <1 ms <1 ms <1 ms 192.168.148.254 3 * * * Request timed out. 4 * * * Request timed out.   I would be very happy if someone could point me in the right direction.   Thank you ... View more
© 2024 Cisco Systems, Inc.