Skip to main content
Cisco Meraki Documentation

Creating a DMZ with the MX Security Appliance

The MX Security Appliance can be used to create a DMZ zone using VLANs, Firewall rules, and 1:1 NAT mappings. To do this, three things need to be accomplished:

  1. Segment the network using VLANs.
  2. Restrict inter-VLAN traffic using ACLs.
  3. Forward desired traffic using NAT rules.

In this example, the network will be divided into two zones.

  • Internal - Contains clients and other devices not directly reachable from the Internet, but able to initiate outbound communication.
  • DMZ - Contains public facing servers and services.

Within the DMZ there is a web server at 172.16.32.2, which should be reachable by all internal clients and any Internet hosts. However, no communication should be allowed to Internal hosts that is initiated by the web server, and only web traffic should be allowed between Internal hosts and the web server in the DMZ. Clients and the DMZ server are both connected to a downstream managed switch. Refer to the topology below.

Network Diagram of MX VLANs separating client and DMZ server traffic

Segment the network into VLANs

  1. Navigate to Configure > Addressing & VLANs.
  2. Ensure that Mode is set to Routed.
  3. Set VLANs to "Enabled" if not already done.
  4. Create local VLANs for the Internal and DMZ networks, as shown below.
    Screenshot of MX Addressing & VLANs VLAN Editor
     
  5. Ensure that the LAN port connecting to the downstream switch is configured to correctly handle the two VLANs. In this case, VLAN 1 (Internal) is native and untagged, while VLAN 2 (DMZ) is tagged.
    Note: Ensure that the downstream switch is correctly configured to match these settings on the port connecting to the MX.
    Screenshot of MX Addressing & VLANs Per-port configuration
     
  6. Click Save Changes

Restrict inter-VLAN traffic using ACLs

  1. Navigate to Configure > Firewall.
  2. Under Outbound rules, add the following layer 3 firewall rules.
    1. Allow TCP:80 traffic from the Internal VLAN to the web server.
    2. Allow TCP:443 traffic from the Internal VLAN to the web server.
    3. Block all other traffic from the Internal VLAN to the web server and DMZ VLAN.
    4. Block all traffic from the DMZ VLAN to the Internal VLAN.
  3. Click Save Changes.

Screenshot of MX L3 Outbound firewall rule configuration

This will allow:

  • Internal clients and DMZ servers to communicate freely with the Internet.
  • Internal clients to access web resources on the web server.
  • Internet hosts to access web resources on the web server.
 

...while preventing:

  • Internal clients from access other resources on the web server or other DMZ servers (such as SSH or FTP).
  • DMZ servers from accessing internal clients, unless in reply (to prevent allowing access to the internal network if the web server is compromised).
  • Internet hosts from accessing internal clients.

Forward desired traffic using NAT rules

  1. Navigate to Configure > Firewall.
  2. Under 1:1 NAT, add a 1:1 NAT mapping as shown below.
    1. The Public IP should be the IP address being directed to the selected Uplink, which will be forwarded to the web server.
      Note: If using the public IP address on the MX itself, refer to the guide on port forwarding for this section.
    2. The LAN IP should be the IP address of the web server.
    3. Under Allowed inbound connections, select TCP ports 80 and 443 to forward web traffic to the web server.
    4. For Remote IPs enter "any", unless restricting to specific IP addresses or ranges.
  3. Click Save Changes.

Screenshot of configured 1:1 NAT rule for DMZ server use

  • Was this article helpful?