Meraki

Community

Site-to-site outbound firewall

Solved
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 2 2019 5:52 AM
‎Aug 2 2019 5:52 AM

Site-to-site outbound firewall

Hi there , 

 

We have a remote site  ( MX65 ) with site-to-site VPN tunnel going to one of our MX cluster.

 

Somehow , someone managed to configure many  Site-to-site outbound firewall rules ( those rules are Org wide ! ).

 

Those rules are only there to permit or deny specific traffic comming from the remote site.

 

Why would you configure those rules on the site-to-site outbound firewall and not the MX ( remote site ) ? Currently any remote site ( that is participating to the site-to-site VPN ) is bound to those rules ( they are org wide ) 

 

Site-to-site

 

site-tosite.png

 

Vs firewall rules

firewall.png

 

Am I missing something ? 

0 Kudos
1 Accepted Solution
In response to RaphaelL
BrechtSchamp
Kind of a big deal
‎Aug 2 2019 7:20 AM
‎Aug 2 2019 7:20 AM

Yes. The regular firewall rules don't apply to VPN traffic.

 

They would apply to all your sites, but of course only the site that has a relevant subnet will actually be affected.

View solution in original post

5 Replies 5
BrechtSchamp
Kind of a big deal
‎Aug 2 2019 6:52 AM
‎Aug 2 2019 6:52 AM

That firewall is meant to control traffic between site-to-site VPN peers. Let's say for example you have a datacenter, and in that DC there are some servers that you want to be reachable only from some VPN branches. You would then configure the outgoing firewall from the point of view of the branch's subnets and block the access for the subnets you don't want to have access (it's a default allow firewall).

0 Kudos
In response to BrechtSchamp
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 2 2019 7:10 AM
‎Aug 2 2019 7:10 AM

Let's say I want to block the remote site from reaching the servers. I would have to do this with the site-to-site VPN firewall outbound rules ? And these rules would also apply to ALL my other remote site ( 2k ) ? 

 

diag.png

0 Kudos
In response to RaphaelL
BrechtSchamp
Kind of a big deal
‎Aug 2 2019 7:20 AM
‎Aug 2 2019 7:20 AM

Yes. The regular firewall rules don't apply to VPN traffic.

 

They would apply to all your sites, but of course only the site that has a relevant subnet will actually be affected.

In response to BrechtSchamp
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 2 2019 7:23 AM
‎Aug 2 2019 7:23 AM

Thanks for the info. 

 

I'm not really a fan of this , so I'm going to configure these rules on our NGFW behind the MX. I don't like to idea to mess with those site-to-site firewall rules and accidently blocking the traffic for our 2k remote sites. 

 

I will mark this as resolved 

0 Kudos
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 4 2019 3:57 PM
‎Aug 4 2019 3:57 PM

>I'm not really a fan of this , so I'm going to configure these rules on our NGFW behind the MX. I don't like to idea to mess with those site-to-site firewall rules and accidently blocking the traffic for our 2k remote sites. 

 

I typically use that approach.  I often have a "WAN" interface on the DC firewall, and then is where I plug in both MPLS WAN circuits and MPLS AutoVPN terminations.

I use the firewall to provide fine grained control, and the MX VPN firewall rules for course control.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.