Group policy on Meraki site to site vpn

SOLVED
CML_Todd
Getting noticed

Group policy on Meraki site to site vpn

Do group policies apply to traffic in Meraki site to site vpn?

 

Network A and Network B are connected via a Meraki site 2 site vpn tunnel.  I have site to site vpn firewall rules setup to block RDP from computers in Network A from accessing computers in Network B.  And there are also site to site vpn rules setup to block RDP from computers in Network B from accessing computers in Network A.  

 

However, I need IT staff in Network A to be able to remote desktop into computers in Network B.  I've created a group policy in Network A with no restrictions and applied it directly to the IT staff computer in Network A.  This computer still can't remote into the computers in Network B. 

 

This leads me to believe the group policy with no restrictions doesn't apply to site to site vpn traffic. Does anyone know if this is true? 

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

@CML_Todd as you’ve discovered, the Group Policy doesn’t override the site-to-site VPN firewall - that’s always been my understanding. The Group Policy rules can override the global Layer 3 firewall on the MX, and on a MR, and allow for Group Policy ACL on MS (depending on model and firmware). 

You will need to put the IT staff in a separate VLAN to achieve your outcome.

View solution in original post

4 REPLIES 4
Inderdeep
Kind of a big deal
Kind of a big deal

@CML_Todd : Check this to understand in detail on group policies 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Inderdeep,

 

I've read this document, and it doesn't mention anything about whether the group policies apply to site to site vpn connections.  I couldn't find any documentation that mentions it.  

 

Thanks for the reply.

Bruce
Kind of a big deal

@CML_Todd as you’ve discovered, the Group Policy doesn’t override the site-to-site VPN firewall - that’s always been my understanding. The Group Policy rules can override the global Layer 3 firewall on the MX, and on a MR, and allow for Group Policy ACL on MS (depending on model and firmware). 

You will need to put the IT staff in a separate VLAN to achieve your outcome.

CML_Todd
Getting noticed

Bruce,

 

I haven't found any official documentation saying Group Policies don't override site to site VPN firewall rules.  I wanted to see if anyone else could confirm my findings before I created a separate IT staff VLAN at all of my locations. 

 

Thanks for the input, I appreciate it!

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels