Home > Security Appliances > NAT and Port Forwarding > Port Forwarding Caveats

Port Forwarding Caveats

Table of contents
No headers

Overview

The purpose of this KB is to discuss two port forward configurations that will generate issues with the MX's VPN and Local Status page.

Details

The important thing to remember about port forwards is that all inbound traffic destined for the specified port will be sent to the client specified at that port.  The figure below shows a port forward that will send all port 6001 traffic from a specific host (remote IP) to a specific port.

You can choose to allow packets from any source to the LAN Client by adding ANY here.  The next diagram shows how the traffic would flow from the device(s) on the Internet.

 


This is a great way to allow services from the outside in without an existing connection and when you only have one public IP.  If you have multiple IP’s you can configure a 1:1 NAT which allows for more flexibility. For more information on 1:1 NAT, click here.

However, there are two Port Forwarding rules that may cause problems with services on the MX.

The first port forward that is commonly configured that can cause an issue is ports TCP 80 and 443.  This is usually configured if you have a web server that is behind your firewall. You need to allow inbound connections so external users can reach the web content. If you only have one public IP, you'll have to redirect all TCP 80 and 443 traffic to your inside Web Server.

If port forwarding for TCP port 80 and 443 is configured, it will break the Appliance Service “Web(Local Status & Configuration).” This is found under Configure > Firewall.

This service is an Internet facing Local Status (wired.meraki.com). You can access the Local Status page by browsing to https://mx-outside-ip. Traffic destined to your MX on TCP 80 and 443 will be forwarded to your Web Server via the Port Forward rule.

The second Port Forward rule that would cause issues is for UDP 500 or 4500 to a specific server.  This will then reroute all Site to Site and Client VPN traffic to the Host specified.

For more information about how to create a port forward on an MX firewall, please follow this link to see a full setup guide for port forwards.

You must to post a comment.
Last modified
18:19, 9 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1335

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case