Inbound VPN firewall rules - desperately needed!

lpopejoy
A model citizen

Inbound VPN firewall rules - desperately needed!

Two issues:

Client VPN - almost zero firewall rules around this.  Excluding the hack job of using group policy and assigning to the VPN client device (which isn't reliable)

 

Site to Site VPN w/ 3rd party firewalls - no ability to block inbound traffic.  Meraki's position is that it all needs to be blocked "closest the the source".  That's all good and well, but what if you don't have control over the source.  We have multiple cases of setting up S2S VPN's w/ 3rd party firewalls and outside vendors.  I don't like it, I don't want to do it, but didn't have a choice.  That really terrible part is that we have to expose our entire network to the 3rd party and can't control the ingress on the VPN. 

 

We NEED firewall rules on inbound VPN traffic - both S2S AND Client VPN - but especially S2S.  Every other firewall I've worked with has this capability.

 

PLEASE!!

8 Replies 8
DarrenOC
Kind of a big deal
Kind of a big deal

hi @lpopejoy - this feature has been requested for a long time.  At the moment the Meraki documentation states:

 

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

 

It just isn't available at the moment.  For this purpose alone we utilise ASA's for non Meraki s2s VPN's.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
lpopejoy
A model citizen

I know it isn't available, that's why I posted!  This needs someone inside Meraki to push it up the development path.  

KarstenI
Kind of a big deal
Kind of a big deal

I also eagerly want them. Most of the time we have an additional ASA side by side for all extranet VPNs, same as @DarrenOC.

Well, not all customers, some time ago a potential customer completely decided against the Meraki Fullstack because he thought we want to fool him with that approach.

PhilipDAth
Kind of a big deal
Kind of a big deal

Most of the development effort is going into AnyConnect.

 

Right now, you can use RADIUS to assign group policy dynamically to client VPN users using the Filter-Id attribute.

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance 

 

The story in this area is; if you want very basic client VPN connectivity using the Microsoft VPN client - if you need anything more complex use Cisco AnyConnect.

 

The Cisco AnyConnect support is excellent.  It is my most preferred client VPN deployment option.

lpopejoy
A model citizen

anyconnect doesn’t help with site to site. 

…and it has a minimum license purchase of 25 licenses which pretty much kills its usefulness for most of our clients. Otherwise, I agree. 

Dunky
Head in the Cloud

I too would love to be able to apply inbound rules on 3rd party S2S VPN.  At present I have to permit all traffic in when in reality all I want is to permit http/https traffic to specific IP addresses

Dunky
Head in the Cloud

I assume this is still a limitation?

We are looking to replace some legacy cameras and NVR etc with Meraki MV's but need to have a VPN to a 3rd party ARC (Alarm Receiving Centre).

If we cannot control ingress traffic and the ARC will not allow us to put an MX at their site then it is impossible for us to go down the Meraki MV route without a separate firewall which defeats the goal of managing everything thru the Meraki dashboard.

Would welcome any input or feedback.

KarstenI
Kind of a big deal
Kind of a big deal

Yes, it's still the same situation. I assume everything regarding extranet VPNs has no priority at Meraki, which is sad as I don't know a single customer who doesn't need this functionality.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels