Site-to-Site VPN Inbound Firewall - How to activate?
We have recently bought a Cisco Meraki MX68. We have installed MX68 to one of our offices, lets call it Office A. There is a single vlan. VLAN100 on our Meraki MX68.
We have configured a Site-to-Site VPN tunnel between Office A (MX68) to Google Cloud (Cloud router). Everything is fine.
Many of our clients have got connections to our Google Cloud environment as well. Basically Google cloud is Hub and our Offices as well as clients are spoke.
The clients need to access Office A to connect some of the servers. But we need to control which client connects to what server on VLAN 100 and the services they try to access.
Because of this reason we need Site-so-Site inbound firewall capability. Otherwise MX68 is accepting everything inbound. This is unacceptable for us. I have reviewed the existing posts and someone has shared a link here. On that link it is showing Site-to-Site VPN configuration between Meraki MX and AWS, and there is a screenshot of Meraki MX with Site-to-Site Inbound Firewall. How can we have the same feature, inbound firewall, activated for our MX68 site-to-site VPNs?
We recently purchased a FortiGate because of this exact issue. If you get a different response than "sorry we don't do that" from support, could you please share? Outside of this issue and the lower bandwidth capacity (dollar for dollar when compared to FortiGate), we were very happy with the Meraki MX line and would rather use them.
I will get in touch with Cisco support. This is very disappointing. Even a primitive network device with Site-to-Site VPN capability has got inbound firewall rules available for configuring. I could have bought a server and install an opensource firewall on it. It would have tones of features with zero limitations. I hope Cisco will make this possible. We will see.
This is the biggest restriction of the MX. If there are specific VPN needs I always place an ASA/FTD side by side to the MX. Another option is to have all peers on AutoVPN with an MX. There you can use the outbound firewall.
There is an Internet provider MX250 sitting in front of our MX68. I know that it blocks the inbound traffic, not for the Site-to-Site VPN ecnryption domain traffic of course. But I wonder how that device is doing that, since it is MX series as well.