Meraki

GoOn · ‎Oct 7 2021

We have a VPN tunnel with a non-Meraki peer, with subnet 192.168.aaa.0/24.

I have to block a source ip address range to access one destination on my subnet (192.168.bbb.ccc/32).

Please note that I defined a VLAN with the subnet 192.168.bbb.0/24.

If I try insert the following rule on the firewall:

Deny | Any | 192.168.aaa.0/24 | 192.168.bbb.ccc/32 | Any | Some comment

I receive the following error:

The IP address range 192.168.aaa.0/24 does not apply to any configured local or VPN subnets.

So, how to filter them via Firewall policy, not Group policy?

Many thanks in advance!

ww · ‎Oct 7 2021

For vpn traffic you need to use vpn firewall, but that does not work for incoming traffic from 3rd party vpn.

Only option is to use a group policy with stateless rules assigned to a vlan

GoOn · ‎Oct 7 2021

But on Group Policies you have the possibility to indicate the destination only, not the origin.

I think to have difficulties to understand "group policy with stateless rules assigned to a vlan", sorry!

PhilipDAth · ‎Oct 7 2021

You apply a group policy to a specific host - so that is the origin. The origin is the machine you apply the group policy to.

GoOn · ‎Oct 7 2021

I want to avoid clients based on non-meraki peer can access my clients. Them are the origin.

So, I don't have those remote clients in my list, because the are on a non-meraki peer.

I have only my clients in my list.

So, how can I block the remote ones to acces to mine?

ww · ‎Oct 7 2021

With the group policy attached to vlan traffic will come in, but all returning traffic will be dropped.

GoOn · ‎Oct 8 2021

Yes, thanks. But I have to avoid that incoming traffic will come in!

Community