Inbound VPN firewall rules - desperately needed!

A model citizen

Inbound VPN firewall rules - desperately needed!

Two issues:

Client VPN - almost zero firewall rules around this.  Excluding the hack job of using group policy and assigning to the VPN client device (which isn't reliable)


Site to Site VPN w/ 3rd party firewalls - no ability to block inbound traffic.  Meraki's position is that it all needs to be blocked "closest the the source".  That's all good and well, but what if you don't have control over the source.  We have multiple cases of setting up S2S VPN's w/ 3rd party firewalls and outside vendors.  I don't like it, I don't want to do it, but didn't have a choice.  That really terrible part is that we have to expose our entire network to the 3rd party and can't control the ingress on the VPN. 


We NEED firewall rules on inbound VPN traffic - both S2S AND Client VPN - but especially S2S.  Every other firewall I've worked with has this capability.



Kind of a big deal

hi @lpopejoy - this feature has been requested for a long time.  At the moment the Meraki documentation states:


Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 


It just isn't available at the moment.  For this purpose alone we utilise ASA's for non Meraki s2s VPN's.

Darren O'Connor |

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

I know it isn't available, that's why I posted!  This needs someone inside Meraki to push it up the development path.  

Kind of a big deal

I also eagerly want them. Most of the time we have an additional ASA side by side for all extranet VPNs, same as @DarrenOC.

Well, not all customers, some time ago a potential customer completely decided against the Meraki Fullstack because he thought we want to fool him with that approach.

Kind of a big deal

Most of the development effort is going into AnyConnect.


Right now, you can use RADIUS to assign group policy dynamically to client VPN users using the Filter-Id attribute. 


The story in this area is; if you want very basic client VPN connectivity using the Microsoft VPN client - if you need anything more complex use Cisco AnyConnect.


The Cisco AnyConnect support is excellent.  It is my most preferred client VPN deployment option.

anyconnect doesn’t help with site to site. 

…and it has a minimum license purchase of 25 licenses which pretty much kills its usefulness for most of our clients. Otherwise, I agree. 

Building a reputation

I too would love to be able to apply inbound rules on 3rd party S2S VPN.  At present I have to permit all traffic in when in reality all I want is to permit http/https traffic to specific IP addresses

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.