Meraki

Community

Site-to-Site VPN Inbound Firewall - How to activate?

ErsanY
Conversationalist
‎Apr 13 2023 11:25 AM
‎Apr 13 2023 11:25 AM

Site-to-Site VPN Inbound Firewall - How to activate?

Hi,

 

We have recently bought a Cisco Meraki MX68. We have installed MX68 to one of our offices, lets call it Office A. There is a single vlan. VLAN100 on our Meraki MX68.

 

We have configured a Site-to-Site VPN tunnel between Office A (MX68) to Google Cloud (Cloud router). Everything is fine.

 

Many of our clients have got connections to our Google Cloud environment as well. Basically Google cloud is Hub and our Offices as well as clients are spoke.

 

The clients need to access Office A to connect some of the servers. But we need to control which client connects to what server on VLAN 100 and the services they try to access.

 

Because of this reason we need Site-so-Site inbound firewall capability. Otherwise MX68 is accepting everything inbound. This is unacceptable for us. I have reviewed the existing posts and someone has shared a link here. On that link it is showing Site-to-Site VPN configuration between Meraki MX and AWS, and there is a screenshot of Meraki MX with Site-to-Site Inbound Firewall. How can we have the same feature, inbound firewall, activated for our MX68 site-to-site VPNs?

Labels:
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Apr 13 2023 12:13 PM
‎Apr 13 2023 12:13 PM

You could try ask support if its possible to activate.

 

But afaik its not possible and it did show before on the dashboard but never worked.

 

https://community.meraki.com/t5/Security-SD-WAN/Inbound-Site-To-Site-VPN-Firewall-Rules-Are-Getting-...

 

In response to ww
ErsanY
Conversationalist
‎Apr 14 2023 4:41 AM
‎Apr 14 2023 4:41 AM

Thank you for sharing the link. That was from 2018. I will get in touch with cisco support.

0 Kudos
Jameson
Getting noticed
‎Apr 13 2023 1:00 PM
‎Apr 13 2023 1:00 PM

We recently purchased a FortiGate because of this exact issue. If you get a different response than "sorry we don't do that" from support, could you please share? Outside of this issue and the lower bandwidth capacity (dollar for dollar when compared to FortiGate), we were very happy with the Meraki MX line and would rather use them.

0 Kudos
In response to Jameson
ErsanY
Conversationalist
‎Apr 14 2023 4:46 AM
‎Apr 14 2023 4:46 AM

I will get in touch with Cisco support. This is very disappointing. Even a primitive network device with Site-to-Site VPN capability has got inbound firewall rules available for configuring. I could have bought a server and install an opensource firewall on it. It would have tones of features with zero limitations. I hope Cisco will make this possible. We will see.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 13 2023 10:42 PM
‎Apr 13 2023 10:42 PM

This is the biggest restriction of the MX. If there are specific VPN needs I always place an ASA/FTD side by side to the MX. Another option is to have all peers on AutoVPN with an MX. There you can use the outbound firewall.

0 Kudos
In response to KarstenI
ErsanY
Conversationalist
‎Apr 14 2023 4:48 AM
‎Apr 14 2023 4:48 AM

There is an Internet provider MX250 sitting in front of our MX68. I know that it blocks the inbound traffic, not for the Site-to-Site VPN ecnryption domain traffic of course. But I wonder how that device is doing that, since it is MX series as well.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.