Home > Security Appliances > Firewall and Traffic Shaping > Firewall Settings

Firewall Settings

The firewall settings page in the Meraki Dashboard is accessible via Security Appliance/Teleworker Gateway > Configure > Firewall. On this page you can configure Layer 3 and Layer 7 outbound firewall rules, publicly available appliance services, port forwarding, 1:1 NAT mappings, and 1:Many NAT mappings.

In NAT mode, all inbound connections are denied except for ICMP traffic to the appliance, by default. If you want to allow additional inbound traffic, you will need to create a new port forwarding rule or NAT policy and explicitly allow connections based on protocols, ports, or remote IP addresses (see below).

Outbound connections are allowed by default. Customers may need to add a default deny rule for compliance and increased security.

Outbound rules

Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings.

Click Add a rule to add a new outbound firewall rule.

  • The Policy field determines whether the ACL statement permits or blocks traffic that matches the criteria specified in the statement.
  • The Protocol field allows you to specify TCP traffic, UDP traffic, ICMP traffic, or Any.
  • The Sources and Destinations fields support IPs or CIDR subnets. Multiple IPs or subnets can be entered comma-separated.
  • The Src Port and Dst Port fields support port numbers or port ranges. Multiple ports can be entered comma-separated. Port ranges cannot be entered comma-separated.
    You can enter additional information in the Comments field.

Under Actions you can move your configured rules up or down in the list. You can also click the X next to a rule to remove it from the list.

Template Firewall Rules

Additional options are available when configuring firewall rules on a configuration template. For details, see the Firewall rules for templates section of the Configuration Templates page.

Cellular failover rules

These firewall rules are appended to the existing outbound rules when the appliance has failed over to using a cellular modem as its uplink. This can be useful for limiting cellular traffic to only business-critical uses in order to prevent unnecessary cellular overages.

Appliance services

  • ICMP Ping: Use this setting to allow the MX to reply to inbound ICMP ping requests coming from the specified address(es). Supported values for the remote IP address field include None, Any, or a specific IP range (using CIDR notation). You can also enter multiple IP ranges separated by commas. To add specific IP addresses rather than ranges, use the format X.X.X.X/32.
  • Web (local status & configuration): Use this setting to allow or disable access to the local management page (wired.meraki.com) via the WAN IP of the MX. Supported values for the remote IPs field are the same as for ICMP Ping.
  • SNMP: Use this setting to allow SNMP polling of the appliance from the WAN. Supported values for the remote IPs field are the same as for ICMP Ping.

Layer 7 Firewall Rules

Using Meraki's unique layer 7 traffic analysis technology, it is possible to create firewall rules to block specific web-based services, websites, or types of websites without having to specify IP addresses or port ranges. This can be particularly useful when applications or websites use more than one IP address, or when their IP addresses or port ranges are subject to change.

It is possible to block applications by category (e.g. 'All video & music sites') or for a specific type of application within a category (e.g. only iTunes within the 'Video & music' category). The figure below illustrates a set of layer 7 firewall rules that includes both blocking entire categories and blocking specific applications within a category:

It is also possible to block traffic based on HTTP hostname, destination port, remote IP range, and destination IP/port combinations.

Geo-IP Based Firewalling

The Layer 7 Firewall can also be used to block traffic based on the source country of inbound traffic or the destination country of outbound traffic. To do so, create a new Layer 7 Firewall rule and select Countries... from the Application drop-down. You have the option of blocking all traffic to or from a specified set of countries or blocking any traffic that is not to or from a specified set of countries.

Geo-IP firewall rules are available only in the Advanced Security Edition.

Forwarding rules

Use this area to configure port forwarding rules and 1:1 NAT mappings as desired.

Port forwarding

Use this option to forward traffic destined for the WAN IP of the MX on a specific port to any IP address within a local subnet or VLAN. Click Add a port forwarding rule to create a new port forward. You need to provide the following:

  • Description: A description of the rule.

  • Uplink: Listen on the Public IP of Internet 1, Internet 2, or both.
  • Protocol: TCP or UDP.
  • Public port: Destination port of the traffic that is arriving on the WAN.
  • LAN IP: Local IP address to which traffic will be forwarded.
  • Local port: Destination port of the forwarded traffic that will be sent from the MX to the specified host on the LAN. If you simply wish to forward the traffic without translating the port, this should be the same as the Public port.
  • Allowed remote IPs: Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule.

 

You can also create a port forwarding rule to forward a range of ports. However, the range configured in the Public port field must be the same length as the range configured in the Local port field. The public ports will be forwarded to their corresponding local ports within the range. For instance, if you forward TCP 223-225 to TCP 628-630, port 223 would be translated to 628, port 224 would be translated to 629, and port 224 would be translated to 630.

1:1 NAT

Use this option to map an IP address on the WAN side of the MX (other than the WAN IP of the MX itself) to a local IP address on your network. Click Add a 1:1 NAT mapping to create a new mapping. You need to provide the following:

  • Name: A descriptive name for the rule
  • Public IP: The IP address that will be used to access the internal resource from the WAN.
  • LAN IP: The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.
  • Uplink: The physical WAN interface on which the traffic will arrive.
  • Allowed inbound connections: The ports this mapping will provide access on, and the remote IPs that will be allowed access to the resource. To enable an inbound connection, click Allow more connections and enter the following information:
    • Protocol: Choose from TCP, UDP, ICMP ping, or any.
    • Ports: Enter the port or port range that will be forwarded to the host on the LAN. You can specify multiple ports or ranges separated by commas.
    • Remote IPs: Enter the range of WAN IP addresses that are allowed to make inbound connections on the specified port or port range. You can specify multiple WAN IP ranges separated by commas.

Under Actions you can move a configured rule up or down in the list. Click the X to remove it entirely.

Creating a 1:1 NAT rule does not automatically allow inbound traffic to the public IP listed in the NAT mapping. By default all inbound connections are denied. You will have to configure Allowed inbound connections as described above in order to allow the inbound traffic.

1:Many NAT

1:Many NAT, also known as Port Address Translation (PAT), is more flexible that 1:1 NAT. It allows you to specify one public IP that has multiple forwarding rules for different ports and LAN IPs. To add a 1:Many NAT listener IP, click Add 1:Many IP.

  • Public IP: The IP address that will be used to access the internal resource from the WAN.
  • Uplink: The physical WAN interface on which the traffic will arrive.

A 1:Many NAT entry will be created with one associated forwarding rule. To add additional rules, click Add a port forwarding rule under the existing rule or rules for a particular 1:Many entry.

  • Description: A description of the rule.

  • Protocol: TCP or UDP.
  • Public port: Destination port of the traffic that is arriving on the WAN.
  • LAN IP: Local IP address to which traffic will be forwarded.
  • Local port: Destination port of the forwarded traffic that will be sent from the MX to the specified host on the LAN. If you simply wish to forward the traffic without translating the port, this should be the same as the Public port.
  • Allowed remote IPs: Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule.

Bonjour Forwarding

Use this feature to allow Bonjour to work between VLANs. Click Add a Bonjour forwarding rule to create a new forwarding rule.

  • Description: Specify a name for the rule.
  • Service VLANs: Select one or more VLANs where network services are running. Bonjour requests from the Client VLANs will be forwarded to these VLANs.
  • Client VLANs: Select one or more VLANs from which client Bonjour requests can originate. Requests on these VLANs will be forwarded to the Service VLANs. The list of services that can be forwarded include:
    • All services
    • AirPlay
    • Printers
    • AFP (Apple file sharing)
    • Scanners
    • iChat
You must to post a comment.
Last modified
12:34, 20 Jan 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 4368

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case