VPN Firewall ACL

Solved
Johnfnadez
Building a reputation

VPN Firewall ACL

Hi,

 

I have Meraki Spokes against my Meraki Hubs, I have been performing some rules that I need to cofigure for security reasons. So my customer is asking me how a technical guy can realize If the meraki VPN firewall is blocking the traffic or if the traffic is being bloked in othe side (they have Palo Alto firewalls in other network sites).

 

I think that the best option is performing a traceroute to verify where it is beeing blocked. Bc I have seen that unlike the web filtering that shows a warning splash page saying that the traffic was bloked, those rules doesn´t show that warning. And obviously that users are not only consulting HTTP services they uses FTP or SFTP.

 

Does anyone has an idea? I think that the best option is Traceroute.

 

Regards,

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't understand your topology.  You talk about your hubs and spokes so I presume you are using AutoVPN, but then you mention a Palo Alto which doesn't support it.  I'm not sure if you have a non-Meraki VPN to the Palo Alto, or if you are Ethernet connected to it.

 

I use the packet capture tool a lot to check connectivity.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Packet_Capture_Overv... 

 

Otherwise if you really need to see firewall drops you'll need to setup a syslog server (sorry to say),

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over... 

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't understand your topology.  You talk about your hubs and spokes so I presume you are using AutoVPN, but then you mention a Palo Alto which doesn't support it.  I'm not sure if you have a non-Meraki VPN to the Palo Alto, or if you are Ethernet connected to it.

 

I use the packet capture tool a lot to check connectivity.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Packet_Capture_Overv... 

 

Otherwise if you really need to see firewall drops you'll need to setup a syslog server (sorry to say),

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over... 

CCIE-Adam
Getting noticed

That's one of my biggest complaints with Meraki is the logging is not where I would prefer it to be.  Seems crazy that we have to setup a syslog server for this. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels