MX84 proving internal network segmentation

Here to help

MX84 proving internal network segmentation

I have a SCADA network that I have firewalled segmented off  from the business network with a Meraki MX84. The business network is a large routed MAN over fiber. All private IP addressing. I now need to have a computer across the MAN access the SCADA network. Could I turn on VPN client on the MX84 and have the computer do a VPN over the inside MAN private IPs to the MX84 in order to create a secure tunnel?

Kind of a big deal

Unless the MAN connects to a WAN port of the MX, and even then, not likely (it doesn't work if you have NO-NAT mode enabled, which you usually would do if you had a MAN connected to the WAN port).


I can tell you what I have done in the past with some extra ideas.  You can configure a Windows/Linux jump host (possibly on the SCADA network).  I'll pretend it's windows to keep the discussion simple.

Configure a firewall rule to only allow access to the jump host, and nothing on SCADA.  Only allow access to the SCADA network from the jump host.


Now users have to RDP to the jump host and then access SCADA.  The RDP session should be encrypted by default.


Next step up, deploy something like the Cisco Duo RDP agent, so that people accessing the jump host have to use MFA before they can get to the SCADA network. 


Next step up if you are super anal.  Leave the jump host powered down by default so there is no remote access to SCADA at all.  Also configure the jump host to shutdown automatically after 60 minutes.

Have an approval process to get access to SCADA network.  If the request for access is approved (say for 7am), you power on the jump host at that time.  Remote user gets 60 minutes to complete what is required on their access request, and then access is automatically removed when the jump host shuts down.


Bonus points for enabling auditing on the jump host to make sure all logins are recorded and the IP address they are connecting from.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.