Inbound Layer 3 firewall rule to block traffic from a Non-Meraki peer

GoOn
Getting noticed

Inbound Layer 3 firewall rule to block traffic from a Non-Meraki peer

We have a VPN tunnel with a non-Meraki peer, with subnet 192.168.aaa.0/24.

I have to block a source ip address range to access one destination on my subnet (192.168.bbb.ccc/32).

Please note that I defined a VLAN with the subnet 192.168.bbb.0/24.

 

If I try insert the following rule on the firewall:

Deny  |  Any  |  192.168.aaa.0/24  | 192.168.bbb.ccc/32  |  Any  |  Some comment

I receive the following error:

  • The IP address range 192.168.aaa.0/24 does not apply to any configured local or VPN subnets.

So, how to filter them via Firewall policy, not Group policy?

 

Many thanks in advance!

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

For vpn traffic you need to use vpn firewall, but that does not work for incoming traffic from 3rd party vpn.

 

Only option is to use a group policy with stateless rules assigned to a vlan

GoOn
Getting noticed

But on Group Policies you have the possibility to indicate the destination only, not the origin.

 

I think to have difficulties to understand "group policy with stateless rules assigned to a vlan", sorry!

PhilipDAth
Kind of a big deal
Kind of a big deal

You apply a group policy to a specific host - so that is the origin.  The origin is the machine you apply the group policy to.

I want to avoid clients based on non-meraki peer can access my clients. Them are the origin.
 
 
 
So, I don't have those remote clients in my list, because the are on a non-meraki peer. 
 
I have only my clients in my list.
 
So, how can I block the remote ones to acces to mine?
ww
Kind of a big deal
Kind of a big deal

With the group policy attached to vlan traffic will come in, but all returning traffic will be dropped.

GoOn
Getting noticed

Yes, thanks. But I have to avoid that incoming traffic will come in!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels