Site-to-site outbound firewall

SOLVED
RaphaelL
Kind of a big deal
Kind of a big deal

Site-to-site outbound firewall

Hi there , 

 

We have a remote site  ( MX65 ) with site-to-site VPN tunnel going to one of our MX cluster.

 

Somehow , someone managed to configure many  Site-to-site outbound firewall rules ( those rules are Org wide ! ).

 

Those rules are only there to permit or deny specific traffic comming from the remote site.

 

Why would you configure those rules on the site-to-site outbound firewall and not the MX ( remote site ) ? Currently any remote site ( that is participating to the site-to-site VPN ) is bound to those rules ( they are org wide ) 

 

Site-to-site

 

site-tosite.png

 

Vs firewall rules

firewall.png

 

Am I missing something ? 

1 ACCEPTED SOLUTION

Yes. The regular firewall rules don't apply to VPN traffic.

 

They would apply to all your sites, but of course only the site that has a relevant subnet will actually be affected.

View solution in original post

5 REPLIES 5
BrechtSchamp
Kind of a big deal

That firewall is meant to control traffic between site-to-site VPN peers. Let's say for example you have a datacenter, and in that DC there are some servers that you want to be reachable only from some VPN branches. You would then configure the outgoing firewall from the point of view of the branch's subnets and block the access for the subnets you don't want to have access (it's a default allow firewall).

Let's say I want to block the remote site from reaching the servers. I would have to do this with the site-to-site VPN firewall outbound rules ? And these rules would also apply to ALL my other remote site ( 2k ) ? 

 

diag.png

Yes. The regular firewall rules don't apply to VPN traffic.

 

They would apply to all your sites, but of course only the site that has a relevant subnet will actually be affected.

Thanks for the info. 

 

I'm not really a fan of this , so I'm going to configure these rules on our NGFW behind the MX. I don't like to idea to mess with those site-to-site firewall rules and accidently blocking the traffic for our 2k remote sites. 

 

I will mark this as resolved 

PhilipDAth
Kind of a big deal
Kind of a big deal

>I'm not really a fan of this , so I'm going to configure these rules on our NGFW behind the MX. I don't like to idea to mess with those site-to-site firewall rules and accidently blocking the traffic for our 2k remote sites. 

 

I typically use that approach.  I often have a "WAN" interface on the DC firewall, and then is where I plug in both MPLS WAN circuits and MPLS AutoVPN terminations.

I use the firewall to provide fine grained control, and the MX VPN firewall rules for course control.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels