MX Firewall, site to site vpn firewall, and Group Policies

CML_Todd
Getting noticed

MX Firewall, site to site vpn firewall, and Group Policies

I have some questions concerning firewalls and group policies on the MX security appliances.  The documentation isn't clear, and I've had mixed results in testing.

 

1.  Does the firewall on the MX apply to traffic that goes across the site to site VPN tunnel? 

2.  Does a group policy with layer 3 restrictions apply to traffic that goes into a site to site vpn tunnel, or just to intenet and local vlans?   

3.  Is the site to site vpn tunnel firewall the only way to restrict traffic that enters the vpn tunnel?  

 

Any help or suggestions are appreciated.  

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

1. No.  You use separate VPN firewall rules.  This is under "Site to Site VPN".

Screenshot from 2017-12-07 08-40-22.png

2. Not sure.

3. Yes.

ITzhak
Getting noticed

Hi,

 

I would assume that the answer to 2 is yes since the group policy is on the client specific, not on the connection specific

Seshu
Meraki Employee
Meraki Employee

Hello,

 

1.  No. That will be the rules in Site-To-Site VPN Page. 

2. Yes. Those rules are applicable to specific clients that have that policy applied.

3. Yes, if you want to create a general rule, not client specific one.

 

CML_Todd
Getting noticed

Hello it's been awhile,

 

I've done additional testing, and I've found that a group policy applied to a specific network doesn't apply to traffic entering the site to site vpn tunnel.  In the a group policy named "public" at site A, I've denied "any" access to server-192.168.1.1 that sits across the site to site vpn at site B.  I applied this policy to vlan 120 10.0.10.0/24.

 

In the site to site vpn firewall, I allow "any" access from 10.0.10.0/24 to 192.168.1.1.  

 

I've found that devices in the 10.0.10.0/24 network can still communicate with the server-192.168.1.1. 

 

Unless I'm doing something wrong, it appears that the site to site vpn firewall rules take precedence over a group policy applied to a vlan subnet.    

PhilipDAth
Kind of a big deal
Kind of a big deal

Hi @CML_Todd.  Your are right about traffic entering the VPN (rules don't apply). The firewall rules only apply to traffic leaving your site via VPN.

CML_Todd
Getting noticed

Thanks for your reply. 

 

Another thing I found in testing is that when a Group Policy is applied directly to the client, the rules in the Group Policy seem to apply to vpn tunnel traffic.  It seems funny to me that a Group Policy behaves differently depending on whether it's applied to a Vlan Network or directly to a client.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels