Non-Meraki VPN Peers and Site-To-Site FW Rules

MFisher
Here to help

Non-Meraki VPN Peers and Site-To-Site FW Rules

We are setting up a new Non-Meraki VPN Peer to connect 2 different organizations.  One end has Auto-VPN peers in addition to this new Non-Meraki peer.

 

Is it required to configure the remote site "Non-Meraki VPN Peer" subnets to the "Site-to-Site Outbound firewall rules" on the hub hosting both Auto-VPN and Non-Meraki peers?

 

Or do I only need to configure the subnets in the "Non-Meraki VPN Peers" configuration above that?

 

Thanks,

3 REPLIES 3
Inderdeep
Kind of a big deal

@MFisher : This below link helps you to understand, MX Design: Integrating Non-Meraki VPN into AutoVPN

https://www.willette.works/merging-meraki-vpns 

 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Bruce
Kind of a big deal

@MFisher both the settings at the bottom of that page are organisation-wide.

 

When you create the non-Meraki VPN peer it will route traffic over that VPN based on the subnets you configure in the peer information. You can restrict which networks in the organisation build connections to the non-Meraki peer using tags, but note that a non-Meraki VPN can’t be accessed across an AutoVPN, I.e. traffic flow can’t be across an AutoVPN hop, then across the non-Meraki VPN.

 

The VPN firewall settings are also organisation-wide, so anything you put in there will apply to all networks, including the AutoVPN links. By default it allows everything, but you can obviously create a more restrictive policy if needed.

 

So in answer to your question. Configure the subnets only in the non-Meraki peer configuration to start with, leaving the site-to-site outbound VPN firewall as allow any to any. Once you’ve got the VPN working then you can restrict it with the outbound VPN firewall if needed.

Our Non-Meraki peer in the different organization is up and communicating through our Hub that hosts both Auto-VPN and Non-Meraki peer connections.

 

However, on our Hub in the separate organization, we have an implicit deny configured on its "Site-to-Site VPN outbound firewall" rules.

 

So apparently the "site-to-site outbound firewall" rules do not restrict "Non-Meraki VPN peer" traffic since we never included those remote subnets in the site-to-site outbound firewall rules on our Hub.  We only specified the Non-Meraki peer subnets in the "Non-Meraki VPN peer" configuration.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels