Site-to-Site VPN Firewall

muhrahkee
New here

Site-to-Site VPN Firewall

Looking for some additional information regarding the site-to-site firewall rules. Our environment is a relatively standard hub/spoke model: "HQ" as the primary datacenter and connecting to remote sites. All are connected via Meraki MX (no non-Meraki VPN in this case). I want each remote site to access a specific subnet/VLAN and/or hosts at HQ, with all other traffic between the remote sites or other hosts at HQ being denied. Remote sites should not access each other.

 

I built out the allow rules based on this, with the hope of adding a "Deny All" at the bottom of the list to deny all other traffic not explicitly allowed by a rule. However, this does not seem to work. Upon adding the "deny all" rule, the remote sites can no longer access HQ despite the allow rule which should permit the traffic.

 

Example:

  • HQ Subnet: 192.168.1.0/24
  • Remote Site 1 Subnet: 192.168.2.0/24
  • Site-to-Site VPN rule: Allow Any (protocol) 192.168.1.0/24 (src) Any (port) 192.168.2.50/32 (dest) Any (port)
  • Site-to-Site VPN rule: Deny Any (protocol) Any (src) Any (port) Any (dest) Any (port)

How can this be accomplished with the site-to-site VPN firewall? I read the KB on this, but it's unclear to me. Same result substituting the /32 single host for a /24 subnet. Do I need the opposite rule added as well, to allow traffic both ways?

 

Thanks for helping to get my head around this.

3 Replies 3
Mr_IT_Guy
A model citizen

Have you tried selecting which vLANs you want to participate in the Site-to-Site VPN? If you go under Security Appliance > Configure > Site-to-site VPN, under the VPN settings is a section called local networks. If you select NO in section "Use VPN", this site will still be accessible to its local network but not to any remote sites. Additionally, if you scroll to the very bottom of that page, there is a section for Site-to-site outbound firewall. Site-to-site firewall rules control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic. They will not apply to inbound traffic or to traffic that is not passing through the VPN. 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Based on your configuration the only thing that should be allowed is one host, that is the 192.168.2.50/32 device. Everything from all sites would be denied so what your seeing is expected behavior. Your using a implicit deny, so you will need to specify every single rule above that implicit deny. When inputting those rules they apply for outbound traffic for all sites, not return traffic so there is no need to add rules for return.

 

You may want to take a different approach and leave the implicit accept and only deny what you want to deny.

jbhehoman
Here to help

If you want all remote sites' participating vlans to access the subnet at HQ:

Example:

  • HQ Subnet: 192.168.1.0/24
  • Remote Site 1 Subnet: 192.168.2.0/24
  • Site-to-Site VPN rule: Allow Any (protocol) Any (src) Any (port) 192.168.1.0/24 (dest) Any (port)
  • Site-to-Site VPN rule: Deny Any (protocol) Any (src) Any (port) Any (dest) Any (port)

This would block traffic originating at HQ destined to the remote sites unless you specify that with another allow rule before the Deny Any.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels