There are various threads already bemoaning the lack of inbound firewall rules for Non-Meraki VPN Peers (bump for Product Management to take a look at that please), but rather than just pile-on, I wanted to see if anyone had got this working by way of workaround.
Scenario:
We have an MX in the office that provides Client VPN (native and AnyConnect) connectivity to the office/server environment (while we all work from home), and we want to add a Non-Meraki VPN peer to allow all our internal systems to access a SaaS solution. From a security perspective though, the traffic that could originate from this SaaS provider is a complete unknown and we don't want to to open our network up to takeover via a 3rd party, but without inbound VPN firewall rules this isn't possible with the MX.
The Workaround:
Could I install another MX in a different 'organization' behind the Office MX, let's call this the DMZ MX, and then configure the DMZ MX with 2 non-Meraki VPN peers, i.e.:
1: (Office MX) <-- (DMZ MX)
2: (DMZ MX) --> SaaS
This would allow the DMZ MX to specify what is allowed outbound to the Office MX.
From the Office MX side I would configure a static route to the SaaS IP subnets via the DMZ MX IP address, allowing me to address the SaaS provider systems as if it was a direct VPN tunnel. Presumably then traffic originating from the SaaS provider's network will be treated as 'outbound' then it egresses the DMZ MX in the direction of the Office MX, allowing firewall rules to be applied.
The main complication that I can see if that I I only have one internet connection and a single public IP, so I would need to create a VLAN on the Office MX and plug the DMZ MX into it for internet connectivity (and add firewall rules to prevent the DMZ MX from accessing the internal subnets). Presumably I may then also need to open some ports inbound on the Office MX to allow IPsec tunneling to the DMZ MX.
Has anyone tried this? Did it work? Any gotchas?
