Blocking access Users in Site-to-Site VPN

SOLVED
Vipul
Here to help

Blocking access Users in Site-to-Site VPN

I Want to block one of the site users to direct access to all other sites over site-to-site VPN. I have created the below test rule for one device block to all sites. But the rule is not working; maybe I am doing something wrong. 

 

Site-to-Site outbound firewall 

 

Vipul_0-1685122583585.png

 

I apreciate your support in advance.

 

1 ACCEPTED SOLUTION
alemabrahao
Kind of a big deal
Kind of a big deal

See some considerations.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

6 REPLIES 6
alemabrahao
Kind of a big deal
Kind of a big deal

See some considerations.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

You doing a test from that source ip to that destination subnet?

Did you wait 10 minutes after apllying the rule

Vipul
Here to help

Yes, You are right. It's been an hour, but nothing happened. But I understand the behavior shared by @alemabrahao. I have created two new rules and vice versa and tested it was working fine. see below screenshot.

 

 

Vipul_0-1685126930643.png

 

 

Let me test more. I will update the results.

 

 

GIdenJoe
Kind of a big deal
Kind of a big deal

It could be another way of looking at it but you could have a group policy on that user (if WiFi on the AP) or via 802.1X (on switches) to put that user in another VLAN that is not passed to a site to site peer.

Agreed, @GIdenJoe. I appreciate your advice.

delilahkl
Just browsing

To block a specific site user from accessing all other sites over a site-to-site VPN, you have created a test rule. However, it seems that the rule is not functioning as expected. To resolve this issue, you may need to review and troubleshoot the rule configuration. Check if the rule is properly applied, the device is correctly identified, and the settings align with the desired blocking behavior. Adjustments or corrections to the rule may be necessary to successfully block the targeted user's access to all other sites.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels