We are creating a site-to-site VPN tunnel to a third party (MX 250 on our side, Palo 850 on the third party side). Since all of the layer3 FW rules are outbound only including VPN FW rules on the MX, how do I stop IP's on the remote third party side from accessing any subnets/VLAN's enabled over VPN? Bearing in mind that I have to setup the entire remote subnet in the Private subnets setup in our site-to-site vpn tunnel configuration on the MX.
I want to allow only a handful of IP's from the remote subnet to access any devices on my side of the tunnel.
I can put in DENY rules for outbound but since the FW's are stateful that doesn't stop connections initiated from the third party site. Anyone have any insight into the correct way to secure the tunnel?
We do not have any access to the third party FW.
Thanks
Sarvjit
