I am relatively new to the sonicwall setup but I am facing a problem. We have Cisco Meraki devices and Cisco has notified us that they are not able to communicate with our Meraki devices. They have added new IP's and I believe ports that they need to reach. How do I go about setting up the sonicwall so it can reach the following IP's and ports?
I got as far as creating an address group of the IP's. I also added a service group that contains the UDP ports as a start. I believe I need to then create an access rule? Not sure how to put all the pieces together from here.
The new Meraki IP's/ports are:
126.96.36.199/20 and 188.8.131.52/19 ranges are port UDP 7351, 9350-9351 and TCP 80, 443, 7734, 7752.
The sonicwall is a TZ 300 running 184.108.40.206-83n
Any help would be greatly apprecaited.
Drew_Schwedland Newbie ✭
You are correct. The next step would be to create an access rule that allows traffic from the LAN to the WAN from whatever devices you want (you can specify the AP IP addresses or just any) to the IP addresses for Meraki on with the service group you created. Let me know if that helps!0
BWC Cybersecurity Overlord ✭✭✭
@LewisAofM you can't use the Source Ports in the Access Rules, it has to be the Service (Destination Port) because there sits the Service listening to it. You probably never need to set the Source Port because it's usually random.
Thanks Drew. I did From: LAN, To: WAN, Source Port: Meraki Access Ports (where I defined the TCP and UDP ports needed), service: Any, Source: Any, Destination: Meraki IP Range.
I don't see any traffic going through that rule at this time. I've just contacted Meraki to run another test against the AP's to see if the problem is resolved. I'll let you know. Please let me know if you see any issues with the way I setup the rule.
Ah...I see, thanks. Do you see any issues with me adding the 2 IP's that Meraki needs in the Destination box? To me it appears as if that would limit where the open ports could connect to. Thanks again.
@LewisAofM two IPs sounds a bit static, when you can make sure they do not change you should be golden. If you can limit them by FQDN this would be the way I prefer (if there are names for it).
Security-wise limiting the Destination IPs is the best approach.
They have a /20 on one of them and a /19 on the other so the range is pretty big. They only give IP ranges and not a FQDN. Thanks again Michael.
Then two Network Objects covering these /20 and /19 subnets sound reasonable.
Those are the only 2 networks that Meraki gives for their dashboard/management. I thought it was odd at first, but I have been using it for months with no problems! @LewisAofM Unless you only want certain devices on your network to access certain stuff inside your network and they have to be on the same network as everything else, then you are better off leaving source ports and addresses alone. Just use the destination addresses and ports. I hope this helps with any other questions you may have about setting up rules in your network! I am always happy to help if needed!
I still show no traffic via that new access rule but when I do an nping I get a reply. I also set the priority to "auto prioritize". Without that, I had an error about it being an invalid priority. Hopefully Meraki responds soon with a new test result. Thanks again.
@LewisAofM Do you have a Deny all rule? Is the Meraki rule after that? I know you said that you had all the IPs and ports that was needed, but just in case, here is a link to their documentation on what needs to be opened up on the firewall for what.
I can also look on my firewalls and see what I have configured on them. I use Meraki wifi and haven't had any issues with connection to Meraki dashboard on 6th or 7th gen firewalls
They had been working fine but Meraki emailed us and said "You are receiving this notice because devices in one or more of your Meraki networks are unable to reach our platform through these new IP ranges." We have no Meraki specific rules (until now). I'd be curious to see what you have if its anything specific to this. I also don't see any deny rules that would prevent the traffic.
I realize now that I didn't lock it down to IP address because there were so many on the website and I didn't want to configure that many. I just opened up the ports I wanted to use. Here are all the ports I used. I assume that you're missing an IP address or network somewhere, because they have a lot. Have you guys done any specific port configuration on your firewall?
Meraki1 (Cloud Communication)UDP 7351
Meraki2 (VPN Registry)UDP 9350 - 9351
Meraki3 (iOS Systems Manager Communication)TCP 2195 - 2196
Meraki5 (Android Systems manager Communication)TCP 5228 - 5230
Meraki4 (iOS Systems Manager Communication)TCP 5223
Meraki6 (Backup)TCP 993
Meraki7 (Backup)TCP 6514
Meraki8 (Backup)TCP 7734
Meraki9 (Backup)TCP 7752
Meraki10 (Backup)TCP 30001
Meraki11 (Backup)TCP 60000 - 61000
I just changed the priority on the rule and doing an nping now shows traffic over that rule. I made it priority 5 so I guess another rule above it had been denying the traffic. I'm not at all familiar with the priorities (although I understand it in concept) so do you see any issues having it that high? Everything is set to "Any" except the Service and the Destination. They have the ports/protocols and the Meraki IP's respectively.
No I don't see an issue with it being that high. I manually set all my priorities for outbound traffic so they don't get stuck behind my Deny all rule that doesn't let anything out that I don't want
Ok I'll see what happens from here. We don't need all the IP's and ports you have listed. Support only told me the 2 IP ranges and the specific TCP and UDP ports I needed to allow. They said that's the only thing impacting us. I'll keep you posted. Thanks!
No problem! I am curious to see how this turns out!
Meraki got back to me and said we passed all tests. Pretty cool. You guys are awesome! Thanks for all the help.
That's good to hear! I'm happy to help!