L2L hub/spoke VPN and impact on firewall rules

Solved
treimers
Here to help

L2L hub/spoke VPN and impact on firewall rules

Hi all -

 

I have a hub and spoke VPN configuration - one core MX-450 at our main datacenter, and three or four remote sites with one or more subnets at each site.

 

I'd like to control access to a few of those remote subnets that contain secure infrastructure.

 

I've put rules into the remote MX-67, but they don't seem to be taking effect -- as if the VPN tunnel/subnets routed over the VPN are "bypassing" the ACLs applied.

 

Do I need to do those ACLs to filter access to the remote subnets at the host side on the MX-450 instead of the remote side MX-67?

 

If there's documentation on Meraki's site regarding the behaviour of firewall ACLs with VPN tunnels, I've not found it.

Seems like there's documentation on VPNs, and then separate documentation on firewall rules.

 

Thanks Tim

1 Accepted Solution
BrechtSchamp
Kind of a big deal

Hi Tim. Where did you configure the rules? You need to configure them in the Security & SD-WAN > Site-to-site VPN page. There's a section called Site-to-site outbound firewall there.

 

More info here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

View solution in original post

1 Reply 1
BrechtSchamp
Kind of a big deal

Hi Tim. Where did you configure the rules? You need to configure them in the Security & SD-WAN > Site-to-site VPN page. There's a section called Site-to-site outbound firewall there.

 

More info here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels