L3 Firewall Rules and "On-VPN" network interaction.

SOLVED
PAI-Aaron
New here

L3 Firewall Rules and "On-VPN" network interaction.

I have an MX84 configured with 3 VLANs each of which are assigned a /24 subnet from the 172.16.0.0/12 block. The networks are designated inside, DMZ, and guest.

 

I'm trying to understand the firewall / security interaction when I mark the DMZ network as "On-VPN". In particular I have firewall rules:

 

1: allow tcp (DMZ host) any (VPN-Connected host) any

...

8: deny Any (DMZ subnet) Any Any Any

 

The goal is to deny everything from the DMZ network by default (rule 8 above) what's killing me is that my default deny rule doesn't seem to apply to networks that are part of our VPN connected mesh.

 

I can't ping the inside network from (DMZ host), I can't ping the guest network from (DMZ host), but I can ping any IP address on a subnet connected to the MX84 via the Meraki cloud.

 

So is there an implied "permit" rule hidden somewhere that is overriding my L3 rules on the MX84 because the destination is part of our VPN mesh? If so how can I prevent (DMZ host) from accessing everything connected to our VPN mesh? We have about 40 subnets advertised this way and I only want to permit my DMZ network to access specific hosts on specific endpoints.

 

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

 

Outbound rules

Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings.

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

View solution in original post

1 REPLY 1
ww
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

 

Outbound rules

Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings.

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels