Meraki

treimers · ‎Dec 5 2019

Hi all -

I have a hub and spoke VPN configuration - one core MX-450 at our main datacenter, and three or four remote sites with one or more subnets at each site.

I'd like to control access to a few of those remote subnets that contain secure infrastructure.

I've put rules into the remote MX-67, but they don't seem to be taking effect -- as if the VPN tunnel/subnets routed over the VPN are "bypassing" the ACLs applied.

Do I need to do those ACLs to filter access to the remote subnets at the host side on the MX-450 instead of the remote side MX-67?

If there's documentation on Meraki's site regarding the behaviour of firewall ACLs with VPN tunnels, I've not found it.

Seems like there's documentation on VPNs, and then separate documentation on firewall rules.

Thanks Tim

BrechtSchamp · ‎Dec 5 2019

Hi Tim. Where did you configure the rules? You need to configure them in the Security & SD-WAN > Site-to-site VPN page. There's a section called Site-to-site outbound firewall there.

More info here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

View solution in original post

BrechtSchamp · ‎Dec 5 2019

Hi Tim. Where did you configure the rules? You need to configure them in the Security & SD-WAN > Site-to-site VPN page. There's a section called Site-to-site outbound firewall there.

More info here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Meraki

Community

L2L hub/spoke VPN and impact on firewall rules

L2L hub/spoke VPN and impact on firewall rules