Home > Security and SD-WAN > NAT and Port Forwarding > Blocking Inbound Traffic on MX Security Appliances

Blocking Inbound Traffic on MX Security Appliances

Table of contents
No headers



When configuring a firewall for a network, direction of traffic must be taken into account. Some traffic, like users browsing to the internet, will be initiated outbound. Other traffic, like access to a publicly facing server, initiates with an inbound connection. These situations are handled differently, since you can generally trust your users more then connections from the internet.




For outbound traffic, controlling this is an easy process: create an allow rule using the Layer 3 Firewall. This will affect 1:1 NATs, Port Forwards and standard WAN traffic. More information about the outbound firewall feature is available here. The inbound firewall is controlled a little bit differently.


The inbound firewall will deny any traffic that does not have a session initiated by a client behind the MX. This allows internal client machines to connect with any resources they need, but does not let outside devices initiate connections with inside client machines. The exception to this is if a Port Forward or 1:1 NAT is created. More information on Port Forwarding and 1:1 NAT can be found here.


Both Port Forwards and 1:1 NATs have a section for 'Allowed remote IPs'. This governs which outside addresses are allowed to initiate connections. Addresses specified here will be able to connect through the specified public ports. The 'ANY' keyword can be used to grant access to any address, or multiple address can be entered if they are separated by a comma. By specifying addresses that should be communicating with inside nodes, unsolicited connections will be prevented.


Below is an example of both Port Forwarding and 1-1 NAT rules


Restricting inbound access is an important part of increasing security within a network. By either restricting inbound connections or limiting outbound replies, unwanted traffic can be minimized.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1477

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community