Home > Security Appliances > Firewall and Traffic Shaping > Creating a DMZ with the MX Security Appliance

Creating a DMZ with the MX Security Appliance

The MX Security Appliance can be used to create a DMZ zone using VLANs, Firewall rules, and 1:1 NAT mappings. To do this, three things need to be accomplished:

  1. Segment the network using VLANs.
  2. Restrict inter-VLAN traffic using ACLs.
  3. Forward desired traffic using NAT rules.

In this example, the network will be divided into two zones.

  • Internal - Contains clients and other devices not directly reachable from the Internet, but able to initiate outbound communication.
  • DMZ - Contains public facing servers and services.

Within the DMZ there is a web server at 172.16.32.2, which should be reachable by all internal clients and any Internet hosts. However, no communication should be allowed to Internal hosts that is initiated by the web server, and only web traffic should be allowed between Internal hosts and the web server in the DMZ. Clients and the DMZ server are both connected to a downstream managed switch. Refer to the topology below.

6de89b5c-8b0a-4f4a-82f4-7cf631a25389

Segment the network into VLANs

  1. Navigate to Configure > Addressing & VLANs.
  2. Ensure that Mode is set to Network Address Translation (NAT).
  3. Set VLANs to "Enabled" if not already done.
  4. Create local VLANs for the Internal and DMZ networks, as shown below.
    2965a070-c077-4916-8717-e552e190af66
  5. Ensure that the LAN port connecting to the downstream switch is configured to correctly handle the two VLANs. In this case, VLAN 1 (Internal) is native and untagged, while VLAN 2 (DMZ) is tagged.
    Note: Ensure that the downstream switch is correctly configured to match these settings on the port connecting to the MX.
    8be682b5-a84b-4f42-ba64-8a3c6ea7549e
  6. Click Save Changes

Restrict inter-VLAN traffic using ACLs

  1. Navigate to Configure > Firewall.
  2. Under Outbound rules, add the following layer 3 firewall rules.
    1. Allow TCP:80 traffic from the Internal VLAN to the web server.
    2. Allow TCP:443 traffic from the Internal VLAN to the web server.
    3. Block all other traffic from the Internal VLAN to the web server.
    4. Block all traffic from the DMZ VLAN to the Internal VLAN.
  3. Click Save Changes.

057e29a7-f1bb-4dbc-8195-5ecde5894592

This will allow:

  • Internal clients and DMZ servers to communicate freely with the Internet.
  • Internal clients to access web resources on the web server.
  • Internet hosts to access web resources on the web server.
 

...while preventing:

  • Internal clients from access other resources on the web server or other DMZ servers (such as SSH or FTP).
  • DMZ servers from accessing internal clients, unless in reply (to prevent allowing access to the internal network if the web server is compromised).
  • Internet hosts from accessing internal clients.

Forward desired traffic using NAT rules

  1. Navigate to Configure > Firewall.
  2. Under 1:1 NAT, add a 1:1 NAT mapping as shown below.
    1. The Public IP should be the IP address being directed to the selected Uplink, which will be forwarded to the web server.
      Note: If using the public IP address on the MX itself, refer to the guide on port forwarding for this section.
    2. The LAN IP should be the IP address of the web server.
    3. Under Allowed inbound connections, select TCP ports 80 and 443 to forward web traffic to the web server.
    4. For Remote IPs enter "any", unless restricting to specific IP addresses or ranges.
  3. Click Save Changes.

ce374cb8-e748-47c2-9b18-817a3a50e801

You must to post a comment.
Last modified
17:45, 12 Aug 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1475

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community