Networking-Blog

My WordPress Blog

MERAKI CONFIG

Context:

Corporate network is on 172.31.0.0/16

Public network is on 192.168.0.0/16 (I think /16 could be /20)

Task was to configure Meraki MR76 to advertise both the corporate network (on native vlan of 20) and the public network on vlan 45. Meraki requires full cloud connectivity to pull its config, which requires external connectivity i.e., Internet access. Below is a brief outline of things I tried:

  • Configuring the port, the Meraki connected to as a trunk, allowing all vlans and setting the native trunk as 20 (corporate vlan) This allowed the Meraki to receive a DHCP address within the 172.31/16 range HOWEVER it did not have connectivity to the cloud. It did however have full corporate connectivity, tested by pinging edge routers ingress interfaces. HTTP traffic leaving the corp. network requires the use of a proxy, as there are no NAT rules for a scope of addresses in 172.31/16 (Meraki included) only a single static NAT rule for traffic sourced from the proxy server (this is key to finding the solution).
  • Similar to above, I had also tried configuring the trunk’s native vlan to 45 (public/visitor vlan) which isn’t governed by the proxy NOR the firewall, it traverses through a “BT Managed Hub” before entering the WAN. I had full internet connectivity and access to the Meraki dashboard, which was great, until I realised the Meraki was placed in the 192.168.0.0/16 network which is not the network I need it to advertise. I would imagine there is PAT or dynamic NAT configured on this hub to translate addresses in the 192.168.0.0/16 network.
  • Configuring the port as an access-port in both vlan 20 and 45 (corp. and public). This essentially had the same outcome as configuring trunk ports.
  • Adding to an existing firewall zone-based policy to permit cloud traffic from the Meraki to the Meraki public cloud. I still believe this was required although I haven’t had the ability to check if this was required or not, as I had configured the additional class map BEFORE I had found the final solution. Within the Wiki is where you’ll find the zone-fw config.

Class-map applied to overall policy-map “INSIDE-TO-OUTSIDE-POLICY”

  • I decided to look, once again, at the running config of the Cisco 4351 (our edge router/firewall) which is where WAN traffic traverses. Because my issue was essentially Internet connectivity on vlan 20 (corporate) I homed in on the NAT config. This is what I saw:
Show ip nat translations – shows the current binding between static LAN addresses and their corresponding public address.

Now, as you can see that’s not a lot of static routes for a company that hosts 1000s of network devices and PAT or dynamic NAT was not configured. Then it hit me, THE PROXY SERVER!! two of these addresses you see above are actually statically assigned to translate the source address of our proxy servers which account for 100s of devices. The Meraki will not hit the proxy server, and therefore NOT have its source address changed, for cloud communication it requires TCP, UDP and ICMP NOT HTTP(s).

Because the Meraki requires cloud connectivity to pull its config, I was tasked with finding out the address it was handed out by DHCP – look below:

DHCP administrator tools

It is named “meraki ap” because I recently changed it. I then created a static route from the ap to a public address:

Confirmed meraki was receiving a static nat entry

Added an extra SSID on the meraki for public wifi using vlan 45 within the 192.168.0.0/16 network for unfiltered guest traffic also showcasing (on the left) the native config using vlan 20:

See the top right for “android-5” (my phone) using the public wifi.

More still to be done, TBC….

Cisco Zone-Based Firewall Policy for Meraki Wireless AP

Zone-based firewall Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, an entry containing source IP address, destination IP address, source Port number and destination Port number, is maintained for the traffic generated by the trusted (private) network in the stateful database. This will only the traffic including the replies for the private (trusted) network using the stateful database. 

Zone-based Firewall procedure:

  1. Create zones and assign an interface to it – In Zone-based firewall, logical zones are created. A zone is assigned to an interface. By default, traffic from one zone to another is not allowed.
  2. Create class-map – After creating a zone, a class-map policy is made which will identify the type of traffic, like ICMP, on which the policies will be applied.
  3. Create policy-map and assign class-map to the policy-map – After identifying the type of traffic in class-map, we have to define what action must be taken on the traffic. The action can be:
    • Inspect: It is same as inspection of CBAC i.e only that traffic will be allowed from the outside network which will be inspected (return traffic of inside (trusted) network.
    • Drop: This is the default action for all traffic. The class-map configured in a policy map can be configured to drop unwanted traffic.
    • Pass: This will allow the traffic from one zone to another. Unlike inspect action, it will not create a session state for a traffic. If we want to allow traffic from the opposite direction, corresponding policy should be created.

The below are the configuration tasks that you need to follow:

  1. Configure Zones.
  2. Assign Router Interfaces to zones.
  3. Create Zone Pairs.
  4. Configure Interzone Access Policy (Class Maps & Policy Maps)
  5. Apply Policy Maps to Zone Pairs.

Task 1 : Configure Zones

zone security INSIDE

Task 2 : Assign Router Interfaces to Zones

interface GigabitEthernet0/0/1

zone-member security INSIDE

Task 3 : Create Zone Pairs

Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. In our scenario the traffic flows between :

  • INSIDE to OUTSIDE

Task 4 : Configure Interzone Access Policy

Class map sort the traffic based on the following criteria :

1.) Access-group

2.) Protocol

3.) A subordinate class map.

So first we need to create an ACL and associate it with the class map.

ip access-list extended OUTBOUND-INSIDE-MERAKI-MGMT

 remark Next 24 lines – Meraki-Mgmt

permit udp 172.31.0.0 0.0.255.255 host 64.62.142.12 eq 7351

permit udp 172.31.0.0 0.0.255.255 host 64.62.142.12 eq 9350

permit udp 172.31.0.0 0.0.255.255 208.161.147.0 0.0.0.255 eq 7351

permit udp 172.31.0.0 0.0.255.255 208.161.147.0 0.0.0.255 eq 9350

permit udp 172.31.0.0 0.0.255.255 199.231.78.0 0.0.0.255 eq 7351

permit udp 172.31.0.0 0.0.255.255 199.231.78.0 0.0.0.255 eq 9350

permit udp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7351

permit udp 172.31.0.0 0.0.255.255 208.206.48.0 0.0.15.255 eq 9350

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 80

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 443

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 7734

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 7752

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 80

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 443

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 7734

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 7752

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 80

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255eq 443

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7734

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7752

permit udp 172.31.0.0 0.0.255.255 any eq 123

permit udp 172.31.0.0 0.0.255.255 host 8.8.8.8 eq 53

permit icmp 172.31.0.0 0.0.255.255 host 8.8.8.8

permit icmp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255

class-map type inspect match-any OUTBOUND-INSIDE-MERAKI-MGMT

match access-group name OUTBOUND-INSIDE-MERAKI-MGMT

match protocol tcp

match protocol udp

match protocol icmp

Task 5: Policy-Map Configuration

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class type inspect OUTBOUND-INSIDE-MERAKI-MGMT

inspect

Task 6 : Apply policy maps to zone pairs

zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE

 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

There we finish the basic configuration of a zone based firewall.

Troubleshooting

You can use the below commands to perform some basic troubleshooting and verification.

a.) Show commands

show class-map type inspect

show policy-map type inspect

show zone-pair security

b.) Debug Commands

debug policy-firewall detail

debug policy-firewall events

debug policy-firewall protocol tcp

debug policy-firewall protocol udp

Stateful vs. Stateless Firewalls

A firewall can be described as being either Stateful, or Stateless.

STATELESS

Stateless firewalls watch network traffic, and restrict or block packets based on source
and destination addresses or other static values. They are not ‘aware’ of traffic patterns
or data flows.

A stateless firewall uses simple rule-sets that do not account for the possibility that a packet
might be received by the firewall ‘pretending’ to be something you asked for.

STATEFUL

Stateful firewalls can watch traffic streams from end to end. They are are aware of communication
paths and can implement various IP Security (IPsec) functions such as tunnels and encryption.
In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in
(open, open sent, synchronized, synchronization acknowledge or established), it can tell if the
MTU has changed, whether packets have fragmented etc.

Neither is really superior and there are good arguments for both types of firewalls.
Stateless firewalls are typically faster and perform better under heavier traffic loads.
Stateful firewalls are better at identifying unauthorized and forged communications.

CBAC

When your router is running IOS image with FW feature, you can implement CBAC as a
Stateful Firewall IOS-based. With such inspection, the router can inspect inbound traffic from
outside such as The Internet to inside the network. The router can also inspect outbound traffic
from inside the network to outside.


Cisco Named Access-List WAN

ip access-list extended Wan_Traffic_in
remark ISP_DHCP
permit udp any any eq bootpc bootps
remark DENY_Spam_Email_Ip_Addresses
deny   ip host 80.237.152.41 any
deny   ip host 210.193.7.241 any
deny   ip host 194.146.227.72 any
deny   ip host 218.107.207.123 any
deny   ip host 80.189.90.17 any
deny   ip host 58.215.255.74 any
deny   ip host 60.191.248.102 any
deny   ip host 209.202.164.112 any
deny   ip host 68.142.212.70 any
deny   ip host 195.95.24.94 any
deny   ip host 208.74.44.15 any
deny   ip host 62.1.216.170 any
deny   ip host 68.180.151.74 any
deny   ip host 204.244.135.1 any
deny   ip host 12.154.55.204 any
deny   ip host 209.237.150.20 any
deny   ip host 72.52.206.162 any
deny   ip host 59.106.72.230 any
deny   ip host 213.92.32.230 any
deny   ip host 87.24.42.59 any
deny   ip host 82.98.86.172 any
remark DENY_IP_Spoofing_Addresses
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.0.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 224.0.0.0 0.255.255.255 any
deny   ip 240.0.0.0 0.255.255.255 any
remark DENY_Traffic
deny   tcp any host 86.17.130.81 eq telnet
deny   udp any host 86.17.130.81 eq 135
deny   udp any host 86.17.130.81 eq netbios-ns
deny   udp any host 86.17.130.81 eq netbios-ss
deny   ip host 0.0.0.0 any
remark ICMP
permit icmp any host 86.17.130.81 administratively-prohibited
permit icmp host 80.74.17.9 host 86.17.130.81 echo
permit icmp any host 86.17.130.81 echo-reply
permit icmp any host 86.17.130.81 unreachable
permit icmp any host 86.17.130.81 time-exceeded
permit icmp any host 86.17.130.81 traceroute
remark MTU_Path_Discovery
permit icmp any host 86.17.130.81 packet-too-big
remark IPSEC
permit udp any host 86.17.130.81 eq non500-isakmp
permit udp any host 86.17.130.81 eq isakmp
permit esp any host 86.17.130.81
permit ahp any host 86.17.130.81
permit tcp any host 86.17.130.81 eq 10000
remark VPN_PPTP
permit tcp any host 86.17.130.81 eq 1723
remark GRE
permit gre any host 86.17.130.81
remark RDP
permit tcp any host 86.17.130.81 eq 3390
remark FTP
permit tcp any host 86.17.130.81 eq 121
permit tcp any host 86.17.130.81 eq 47000
permit tcp any host 86.17.130.81 eq 47001
permit tcp any host 86.17.130.81 eq 47002
permit tcp any host 86.17.130.81 eq 47003
permit tcp any host 86.17.130.81 eq 47004
permit tcp any host 86.17.130.81 eq 47005
permit tcp any host 86.17.130.81 eq 47006
permit tcp any host 86.17.130.81 eq 47007
permit tcp any host 86.17.130.81 eq 47008
permit tcp any host 86.17.130.81 eq 47009
permit tcp any host 86.17.130.81 eq 47010
remark SSH
permit tcp any host 86.17.130.81 eq 22
remark NTP
permit udp host 193.201.200.74 host 86.17.130.81 eq ntp
remark UTORRENT_LIMEWIRE
permit tcp any host 86.17.130.81 eq 50518
deny   ip any any log
!
interface fa0/0
ip access-group Wan_Traffic_in in

Cisco Named Access-List LAN

ip access-list extended Lan_Traffic_Out
deny   ip host 192.168.2.4 host 24.199.192.15
deny   ip host 192.168.2.4 host 216.27.56.6
deny   ip host 192.168.2.4 host 207.38.11.174
remark HTTP
permit tcp host 192.168.2.4 any eq www
remark HTTPS
permit tcp host 192.168.2.4 any eq 443
remark AAA_Radius
permit udp host 192.168.2.4 host 192.168.2.1 range 1645 1646
remark ICMP
permit icmp host 192.168.2.4 any
remark DNS
permit udp host 192.168.2.4 any eq domain
permit tcp host 192.168.2.4 any eq domain
remark SSH
permit tcp host 192.168.2.4 any eq 22
remark TFTP
permit udp host 192.168.2.4 any eq tftp
remark TELNET
permit tcp host 192.168.2.4 any eq telnet
remark NTP
permit udp 192.168.2.0 0.0.0.15 host 192.168.2.1 eq ntp
remark SMTP
permit tcp host 192.168.2.4 any eq smtp
remark MICROSOFT VPN
permit tcp host 192.168.2.4 any eq 1723 log
remark GRE (GENERIC ROUTING ENCAPSULATION)
permit gre host 192.168.2.4 any log
remark RDP
permit tcp host 192.168.2.4 any eq 3389
remark VNC
permit tcp host 192.168.2.4 any eq 5900
remark NETFLOW_ANALYZER
permit udp host 192.168.2.4 host 192.168.2.1 eq 9996
remark SNMP
permit udp host 192.168.2.4 host 192.168.2.1 eq snmp
remark SNMP_TRAPS
permit udp host 192.168.2.4 host 192.168.2.1 eq snmptrap
remark SYSLOG
permit udp host 192.168.2.4 host 192.168.2.1 eq syslog
remark MSN MSSENGER
permit tcp host 192.168.2.4 207.46.106.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 207.46.107.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 207.46.110.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 207.46.124.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 207.46.125.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 64.4.34.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 64.4.36.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 64.4.37.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 64.4.50.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 65.54.171.0 0.0.0.255 eq 1863
permit tcp host 192.168.2.4 65.54.228.0 0.0.0.255 eq 1863
remark SPOTIFY
permit tcp host 192.168.2.4 host 78.31.8.14 eq 4070
permit tcp host 192.168.2.4 host 78.31.8.31 eq 4070
permit tcp host 192.168.2.4 host 78.31.8.16 eq 4070
permit tcp host 192.168.2.4 host 78.31.8.17 eq 4070
permit tcp host 192.168.2.4 host 78.31.8.18 eq 4070
permit tcp host 192.168.2.4 host 78.31.8.19 eq 4070
remark LIMEWIRE
permit tcp host 192.168.2.4 any eq 6346 log
remark UTORRENT
permit tcp host 192.168.2.4 any range 1024 65535
permit udp host 192.168.2.4 any range 1024 65535
remark PRINTER
permit tcp host 192.168.2.4 host 192.168.5.2 eq 9100
remark DENY_TRAFFIC
deny   ip any any log
!
interface vlan 1
ip access-group Lan_Traffic_Out in

Linux Iptables Flush Script

Launch gedit

Create a shell script (iptables_flush.sh) and copy paste the following lines:

 #!/bin/sh
echo “Flushing iptables rules…”
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

save as:  iptables_flush.sh in root

Make the file executable

chmod +x iptables_flush.sh

and run the script:

./iptables_flush.sh