Creative VPN traffic firewall

lpopejoy
Building a reputation

Creative VPN traffic firewall

Does anyone have any suggestions on a creative way to block inbound site-to-site VPN traffic?  We have a software vendor that requires a site to site VPN, but I don't want to give wide open access to the entire subnet.  I would prefer to only allow traffic FROM us TO them and only on port 1433.  

 

 

2 REPLIES 2
BrechtSchamp
Kind of a big deal

Re: Creative VPN traffic firewall

I fear this is not possible at the moment. This article describes how the firewall is supposed to work and if I understand it correctly it can't block a flow that is initiated from the third party: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

In my opinion this is a shortcoming of the product. While I understand the philosophy to block flows as close to the source as possible this may not always be possible as that third party device may be one you don't have under control/don't trust. Perhaps someone from the MX team can elaborate a bit on the philosophy.

lpopejoy
Building a reputation

Re: Creative VPN traffic firewall

Yeah, I was afraid of this.  It is such a royal pain to put in *another* firewall because of this simple limitation.  It seems like a no brainer to apply firewall policies to site to site VPN.  Why wouldn't this be part of the solution out of the box?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.