Meraki

Community

MX Site-to-Site VPN with Third Party

Solved
Sarv
Getting noticed
‎Aug 4 2023 6:00 AM
‎Aug 4 2023 6:00 AM

MX Site-to-Site VPN with Third Party

We are creating a site-to-site VPN tunnel to a third party (MX 250 on our side, Palo 850 on the third party side). Since all of the layer3 FW rules are outbound only including VPN FW rules on the MX, how do I stop IP's on the remote third party side from accessing any subnets/VLAN's enabled over VPN? Bearing in mind that I have to setup the entire remote subnet in the Private subnets setup in our site-to-site vpn tunnel configuration on the MX.

 

I want to allow only a handful of IP's from the remote subnet to access any devices on my side of the tunnel.

 

I can put in DENY rules for outbound but since the FW's are stateful that doesn't stop connections initiated from the third party site. Anyone have any insight into the correct way to secure the tunnel?

 

We do not have any access to the third party FW.

 

Thanks


Sarvjit

0 Kudos
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
‎Aug 4 2023 6:47 AM
‎Aug 4 2023 6:47 AM

You cant , using the normal firewall rules.

 

You could try work something out using group policies attached to a vlan. GP firewall rules are stateless.

View solution in original post

2 Replies 2
ww
Kind of a big deal
Kind of a big deal
‎Aug 4 2023 6:47 AM
‎Aug 4 2023 6:47 AM

You cant , using the normal firewall rules.

 

You could try work something out using group policies attached to a vlan. GP firewall rules are stateless.

In response to ww
Sarv
Getting noticed
‎Aug 4 2023 11:20 AM
‎Aug 4 2023 11:20 AM

Thanks. I will try that, but ultimately Meraki needs to have a solution for Third Party VPN that allows L3 inbound rules to be created.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.