Meraki

Community

Should vpn access rules be part of the layer 3 outbound area, or layer 3 inbound area?

Solved
Announcer
Getting noticed
‎Nov 3 2023 10:47 PM
‎Nov 3 2023 10:47 PM

Should vpn access rules be part of the layer 3 outbound area, or layer 3 inbound area?

I have one vpn setup in the MX, along with some other vlans.  Where would I put access/firewall rules concerning the vpn subnet?  In the inbound section or outbound?  For example I want vpn subnet to have access to a file share on vlan2?   What about non-vpn inter vlan access; would I put these in inbound or outbound section?

 

thanks.

0 Kudos
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
‎Nov 4 2023 2:31 AM
‎Nov 4 2023 2:31 AM

To add to @KarstenI 's post, if you're talking about client VPN (rather than site-to-site vpn), you use outbound rules.

 

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

View solution in original post

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 4 2023 1:58 AM
‎Nov 4 2023 1:58 AM

If the traffic comes from or goes to the VPN, the rules need to be configured on the organization-wide VPN-rules. VPN traffic is not filtered by L3 Firewall rules. For inter VLAN-traffic, they have to be in the outbound section of the L3 rules. Inbound is for traffic from the WAN.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal
‎Nov 4 2023 2:31 AM
‎Nov 4 2023 2:31 AM

To add to @KarstenI 's post, if you're talking about client VPN (rather than site-to-site vpn), you use outbound rules.

 

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

In response to Brash
Announcer
Getting noticed
‎Nov 4 2023 9:06 AM
‎Nov 4 2023 9:06 AM

Yes, it's client vpn.  Thanks for verifying.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.