Does Site-to-site VPN overrides Firewall rules (Security & SD-WAN > Firewall) ?

jay_b
Getting noticed

Does Site-to-site VPN overrides Firewall rules (Security & SD-WAN > Firewall) ?

Sorry for dumb question but just want to make sure!

6 Replies 6
Inderdeep
Kind of a big deal
Kind of a big deal

@jay_b : Firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN (both AutoVPN and Non-Meraki)

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
jay_b
Getting noticed

Thank you Inderdeep. In document it says : As such, the MX cannot block VPN traffic initiated by non-Meraki peers. So as example: If I put deny all rule , will site to site VPN still work or it will hit deny all ?

 

Inderdeep
Kind of a big deal
Kind of a big deal

@jay_b  By default, everything inbound is going to be blocked by default unless it's allowed by port forwarding or a 1:1 NAT rule for example, and of course any return traffic is allowed back inbound like any stateful firewall.

 

So you are going to block outbound traffic with Firewall rules..

 

Check layer 3 firewall rules, 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
jay_b
Getting noticed

Hello @Inderdeep 

 

Thanks for your response. Sorry If I am not explaining clearly. Let me explain it again.

 

As example : I have new fresh firewall.

 

1) I implemented 5 site-to-site VPN tunnels to AWS/Azure/GC.

2) Added  allow TCP any any 80

3) allow TCP any any 443

4) deny any any

 

Now my question is Do I have to add rule to allow individual tunnel's ip address ? like

allow any any tunnel1 IP address

allow any any tunnel2 IP address

 

 

ww
Kind of a big deal
Kind of a big deal

L3 firewall  doesnt work on vpn traffic

L3 Vpn firewall works on outgoing vpn traffic only.(traffic inside the tunnel)

 

jay_b
Getting noticed

@ww Thanks for quick response. That makes sense. So there won't be any affect on VPN. Awesome. Thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels