MX to MX VPN using inbound VPN Firewall rules

gaskew
Comes here often

MX to MX VPN using inbound VPN Firewall rules

Hi all, can anyone provide a definitive answer to this as the documentation is very conflicting.

 

Can you tell me if I use the Hub (MESH) to create my tunnels will I be able to use the Organization-Wide Settings for site-to-site outbound and site-to-site inbound firewall rules?

It is slightly confusing as they are listed under non-Meraki VPN peers (do they only work for this or for all VPN).

 

There is also a pop out information box which indicates outbound rules will work but not inbound rules.

Further more I have found 2 conflicting documents on the forums.

 

So can I use the site-to-site firewall rules (outbound and inbound) on Meraki only Mesh VPNs? 

Many thanks    

 

VPN Firewall Rules

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from from all MX appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN. 

1 REPLY 1
BrechtSchamp
Kind of a big deal

Yes they apply to the traffic of AutoVPN too. However the inbound firewall rules list is a bogus list. It isn't actually getting applied. See docs:

Note - Inbound Firewall Rules

Note that there is currently a section for inbound firewall rules displayed in the Meraki dashboard. However, inbound firewall rules cannot be configured, and this is an error which will be resolved in a future dashboard update. Any rules saved in this field will not be preserved and will have no effect.

 

Source: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels