Meraki

Community

Creative VPN traffic firewall

lpopejoy
A model citizen
‎Aug 27 2020 11:10 AM
‎Aug 27 2020 11:10 AM

Creative VPN traffic firewall

Does anyone have any suggestions on a creative way to block inbound site-to-site VPN traffic?  We have a software vendor that requires a site to site VPN, but I don't want to give wide open access to the entire subnet.  I would prefer to only allow traffic FROM us TO them and only on port 1433.  

 

 

0 Kudos
2 Replies 2
BrechtSchamp
Kind of a big deal
‎Aug 28 2020 5:28 AM
‎Aug 28 2020 5:28 AM

I fear this is not possible at the moment. This article describes how the firewall is supposed to work and if I understand it correctly it can't block a flow that is initiated from the third party: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

In my opinion this is a shortcoming of the product. While I understand the philosophy to block flows as close to the source as possible this may not always be possible as that third party device may be one you don't have under control/don't trust. Perhaps someone from the MX team can elaborate a bit on the philosophy.

0 Kudos
In response to BrechtSchamp
lpopejoy
A model citizen
‎Aug 28 2020 12:08 PM
‎Aug 28 2020 12:08 PM

Yeah, I was afraid of this.  It is such a royal pain to put in *another* firewall because of this simple limitation.  It seems like a no brainer to apply firewall policies to site to site VPN.  Why wouldn't this be part of the solution out of the box?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.