Best practise for controling traffic between two peers through a 3rd party VPN tunnel

SOLVED
nikmagashi
Getting noticed

Best practise for controling traffic between two peers through a 3rd party VPN tunnel

Hi,

 

I need to create an IPsec tunnel with another peer (which is not an MX) and then we need to gice acces to the other side only to one host on our side. I guess I have to put the entire network of the other peer under the private subnet but then how should I controll what talk to what. Is it by creating rules under the site-to-site outbound firewall rules or should I create those rules on the Security & SD-WAN -> Firewall? Or is it maybe some other way to do it?

 

BR 

1 ACCEPTED SOLUTION
alemabrahao
Kind of a big deal
Kind of a big deal

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

 

 

 

 

The image below demonstrates a misconfigured site-to-site firewall rule. Site-to-site firewall rules only apply to outbound traffic. This rule will never be applied as the source subnet is not a LAN subnet on the MX:

 

 

alemabrahao_2-1669286592676.png

The following image demonstrates a site to site firewall rule that will be applied correctly. Traffic from the 10.0.1.0/24 subnet will not be able to reach 10.0.2.0/24 subnet since the 10.0.1.0/24 subnet is a LAN subnet on the MX.

 

 

 

alemabrahao_4-1669286645411.png

 


When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic to both AutoVPN and Non-Meraki peers is only subject to the site-to-site firewall rules and is never subject to global Layer 3 firewall rules.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

13 REPLIES 13
alemabrahao
Kind of a big deal
Kind of a big deal

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

 

 

 

 

The image below demonstrates a misconfigured site-to-site firewall rule. Site-to-site firewall rules only apply to outbound traffic. This rule will never be applied as the source subnet is not a LAN subnet on the MX:

 

 

alemabrahao_2-1669286592676.png

The following image demonstrates a site to site firewall rule that will be applied correctly. Traffic from the 10.0.1.0/24 subnet will not be able to reach 10.0.2.0/24 subnet since the 10.0.1.0/24 subnet is a LAN subnet on the MX.

 

 

 

alemabrahao_4-1669286645411.png

 


When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic to both AutoVPN and Non-Meraki peers is only subject to the site-to-site firewall rules and is never subject to global Layer 3 firewall rules.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

All right, so If I want to allow the 3rd party endpoint (their network, lets say 10.0.2.0/24) to talk with only one host on my end (for example 10.0.1.10/32) then I allow first only the source 10.0.1.10/32 to talk to 10.0.2.0/24 and then deny source 10.0.1.0/24 to destination 10.0.2.0/24. with these two rules the other part would be able to talk only to that specific IP adress but not to the entire network. Is my logic correct?

Yes, It is.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

That does not work, you cant block incoming traffic with the site2site vpn firewall.

 

You could try using a the group policy and assign it to the local vlan. Gp uses stateless firewall rules

alemabrahao
Kind of a big deal
Kind of a big deal

So are you saying that Meraki documentation is wrong?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

No. Its says "As such, the MX cannot block VPN traffic initiated by non-Meraki peers."

alemabrahao
Kind of a big deal
Kind of a big deal

yes, It works:

alemabrahao_1-1669310646702.png

 

 

alemabrahao_0-1669310589510.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

But that is traffic initiated by you. Not by the other 3rd party

alemabrahao
Kind of a big deal
Kind of a big deal

yes, but it works, it's just a matter of ajust the rules.

The rule may not be bidirectional, but if you create a rule the other way around it should work. I know because I use it on another customer, and it works. It may not be practical, but it works.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

It should not work because meraki statefull fw is outbund and if a inbound session is iniated its a allowed session in the firewall.

 

If it works then they should remove this part from the documentation.

"As such, the MX cannot block VPN traffic initiated by non-Meraki peers"

alemabrahao
Kind of a big deal
Kind of a big deal

👍

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

This is not a valid test as you are only blocking the echo-replies when initiated from the peer side. 

I would consider this firewalling working if I can block an SQL-Slammer (which was only one UDP packet without any return packet) from my Non-Meraki-peer.

👍

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels