Skip to main content
Cisco Meraki Documentation

Blocking Inbound Traffic on MX Security Appliances

Overview

 

When configuring a firewall for a network, it's crucial to consider the direction of traffic. Certain traffic, such as users browsing the internet, is initiated outbound. On the other hand, access to a publicly-facing server initiates with an inbound connection. These situations are handled differently because generally, you can trust your users more than connections from the internet.

Details

Controlling outbound traffic is an easy process: create an allow rule using the Layer 3 Firewall. This will affect 1:1 NAT, Port Forwarding, and standard WAN traffic. More information about the outbound firewall feature is available in MX Firewall Settings. The inbound firewall is controlled a little bit differently.

The inbound firewall will deny any traffic that does not have a session initiated by a client behind the MX. This allows internal client machines to connect with any resources needed but does not let outside devices initiate connections with inside client machines. 

For example, let's suppose we have PC A that is located somewhere on the internet and we have PC B that is located in the MX's LAN. PC A tries to send traffic to PC B. The MX will receive this traffic and check if there is already an existing session/connection in between PC B and PC A. 

  • If there is an existing session, it will allow the traffic through.
    • Inbound traffic has an existing connection or session with a client behind the LAN and is allowed inside.
    • The inbound firewall's ability to keep track of existing connections makes it a stateful firewall. Both the inbound and outbound firewalls are stateful.
  • If there is no existing session, it will NOT allow the traffic through and it will be dropped.
    • Inbound traffic does NOT have an existing connection or session with a client behind the LAN and is allowed inside.

The exception is if a Port Forwarding or 1:1 NAT is created. More information on Port Forwarding and 1:1 NAT can be found in Port Forwarding and NAT Rules on the MX.

Both Port Forwarding and 1:1 NAT have a section for Allowed remote IPs. This governs which outside addresses are allowed to initiate connections. Addresses specified here will be able to connect through the specified public ports. The Any keyword can be used to grant access to any address, or multiple addresses can be entered if they are separated by a comma. By specifying addresses that should be communicating with inside nodes, unsolicited connections will be prevented.

Below is an example of both Port Forwarding and 1:1 NAT rules:

ea362741-ecad-466e-8963-840985d702e3

 

Traffic Flow using Port Forwarding Rule

Using the port forwarding rule above, suppose PC A makes a connection to the MX's WAN IP on TCP port 10000.

Traffic initiated from PC A to port 10000.

The MX will check to see if the packet matches any of the forwarding rules configured. If there is no match the traffic will be dropped and if there is a match it will be allowed. 

Inbound traffic reaches MX and is checked against MX's inbound firewall rules and configured port and 1:1 nat.

In this case the inbound traffic is allowed inside because it meets the criteria for the port forwarding rule:

  1. Protocol is TCP
  2. Public port used is 10000
  3. IP address is 81.0.0.1
    • Traffic from this IP address is allowed due to the Any rule in the Allowed remote IPs section. It's recommended to restrict the IP addresses allowed to use a port forwarding and/or 1:1 NAT rule so unsolicited connections are prevented. 

MX allows traffic inside since it matches a port forwarding rule.

Restricting inbound access is an important part of increasing security within a network. By either restricting inbound connections or limiting outbound replies, unwanted traffic can be minimized.

  • Was this article helpful?