Meraki

Community

MX Firewall, site to site vpn firewall, and Group Policies

CML_Todd
Getting noticed
‎Dec 6 2017 9:07 AM
‎Dec 6 2017 9:07 AM

MX Firewall, site to site vpn firewall, and Group Policies

I have some questions concerning firewalls and group policies on the MX security appliances.  The documentation isn't clear, and I've had mixed results in testing.

 

1.  Does the firewall on the MX apply to traffic that goes across the site to site VPN tunnel? 

2.  Does a group policy with layer 3 restrictions apply to traffic that goes into a site to site vpn tunnel, or just to intenet and local vlans?   

3.  Is the site to site vpn tunnel firewall the only way to restrict traffic that enters the vpn tunnel?  

 

Any help or suggestions are appreciated.  

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 6 2017 11:41 AM
‎Dec 6 2017 11:41 AM

1. No.  You use separate VPN firewall rules.  This is under "Site to Site VPN".

Screenshot from 2017-12-07 08-40-22.png

2. Not sure.

3. Yes.

0 Kudos
ITzhak
Getting noticed
‎Dec 7 2017 11:52 PM
‎Dec 7 2017 11:52 PM

Hi,

 

I would assume that the answer to 2 is yes since the group policy is on the client specific, not on the connection specific

0 Kudos
Seshu
Meraki Employee
Meraki Employee
‎Dec 8 2017 6:41 PM
‎Dec 8 2017 6:41 PM

Hello,

 

1.  No. That will be the rules in Site-To-Site VPN Page. 

2. Yes. Those rules are applicable to specific clients that have that policy applied.

3. Yes, if you want to create a general rule, not client specific one.

 

0 Kudos
In response to Seshu
CML_Todd
Getting noticed
‎May 4 2018 11:29 AM
‎May 4 2018 11:29 AM

Hello it's been awhile,

 

I've done additional testing, and I've found that a group policy applied to a specific network doesn't apply to traffic entering the site to site vpn tunnel.  In the a group policy named "public" at site A, I've denied "any" access to server-192.168.1.1 that sits across the site to site vpn at site B.  I applied this policy to vlan 120 10.0.10.0/24.

 

In the site to site vpn firewall, I allow "any" access from 10.0.10.0/24 to 192.168.1.1.  

 

I've found that devices in the 10.0.10.0/24 network can still communicate with the server-192.168.1.1. 

 

Unless I'm doing something wrong, it appears that the site to site vpn firewall rules take precedence over a group policy applied to a vlan subnet.    

In response to CML_Todd
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 4 2018 1:31 PM
‎May 4 2018 1:31 PM

Hi @CML_Todd.  Your are right about traffic entering the VPN (rules don't apply). The firewall rules only apply to traffic leaving your site via VPN.

0 Kudos
In response to PhilipDAth
CML_Todd
Getting noticed
‎May 8 2018 11:44 AM
‎May 8 2018 11:44 AM

Thanks for your reply. 

 

Another thing I found in testing is that when a Group Policy is applied directly to the client, the rules in the Group Policy seem to apply to vpn tunnel traffic.  It seems funny to me that a Group Policy behaves differently depending on whether it's applied to a Vlan Network or directly to a client.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.