Meraki

Community

Restricting site to site vpn access between networks

acadiana
New here
‎Nov 4 2022 7:17 AM
‎Nov 4 2022 7:17 AM

Restricting site to site vpn access between networks

I have about 15 networks that are under one dashboard. I have site to site vpn enabled for 2 networks that works just fine. Today I need to connect 2 other networks that do not need to communicate with the first 2. How do I do that? It seems they can all communicate right now.

0 Kudos
9 Replies 9
ww
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 7:36 AM
‎Nov 4 2022 7:36 AM

You need to use the vpn firewall to create fw rules.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

Another option would be to use a group policy that is using stateless fw rules. And apply that to the vlans that are part of the vpn.https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 7:42 AM
‎Nov 4 2022 7:42 AM

Hi,

 

You can create an L3 rule on the site-to-site VPN page.

 

alemabrahao_0-1667572933595.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
acadiana
New here
‎Nov 4 2022 7:47 AM
‎Nov 4 2022 7:47 AM

It shows that its for non meraki peers, but these are all meraki peers. Still use that rule section?

0 Kudos
In response to acadiana
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 7:49 AM
‎Nov 4 2022 7:49 AM

I use It for SD-WAN and It works well.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to acadiana
ww
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 7:49 AM
‎Nov 4 2022 7:49 AM

"These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki)."

0 Kudos
In response to acadiana
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 7:51 AM
‎Nov 4 2022 7:51 AM

Overview

Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. Similar to other Meraki firewall options, this firewall is stateful and will only block traffic if it does not match an existing flow.

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki).

Creating Firewall Rules

To create a firewall rule, follow the steps below.

  1. Navigate to Security & SD-WAN > Configure > Site-to-site VPN.

  2. Select Add a rule in the Site-to-site outbound firewall under the Organization-wide settings section of the page.

     

     

  3. Fill in the desired parameters for the rule

  4. Select Save changes.

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
acadiana
New here
‎Nov 4 2022 8:32 AM
‎Nov 4 2022 8:32 AM

What should the rule look like. Source and Destination?

0 Kudos
In response to acadiana
ww
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 9:07 AM
‎Nov 4 2022 9:07 AM

Depends on your needs.. but For example: 

 

Allow >

source: location1 and location2 subnet   destination: location1 and location2 subnet

 

Allow >

source: location3 and location4 subnet  destination: location3 and location4 subnet

 

Deny > any any

In response to acadiana
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 4 2022 10:14 AM
‎Nov 4 2022 10:14 AM

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.