Meraki

Fabian1 · ‎Jun 14 2024

Hi everyone,

I'm just wondering what firewall rules (VPN or basic layer 3) are used when you define destinations, that are not going over the 0.0.0.0/0 default 3rd party VPN tunnel.

I configured local internet breakout for the Meraki cloud connect and I'm not sure if I still have to add the Meraki ports in the VPN firewall or the firewall for internet traffic, or maybe both... Couldn't find the documentation here...

Thank you

Fabian1 · ‎Jun 17 2024

Answer from support:

When MX matches the local internet breakout rule for the traffic, it sends it outbound locally via WAN and not via Site-to-site VPN. This means that the outbound firewall rules will be considered (Security & SD-WAN → Firewall page), not the S2S VPN rules (Security & SD-WAN → Site-to-site VPN page).

View solution in original post

alemabrahao · ‎Jun 14 2024

Sorry, but I didn't quite understand your question.

Like this ? "I'm not sure if I still need to add the Meraki ports in the VPN firewall or in the firewall for Internet traffic"

Can you contextualize it a little better?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Fabian1 · ‎Jun 14 2024

There are two firewalls on the MX, the site-to-site vpn outbout firewall and the firewall under configuration.

For vpn traffic, you have to configure the vpn firewall

alemabrahao · ‎Jun 14 2024

Sorry, but I still don't understand.

Do you have 2 different MXes, one just for the S2S VPN and the other for the internet?

Why that?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Fabian1 · ‎Jun 14 2024

No, I have one MX

On that on MX I have configured a default route to a 3rd party vpn.

But I don't want the Meraki Cloud traffic (switch, access point behind the mx) being routed to the tunnel, that should go directly to the internet. I configured that under VPN Local Breakout.

Now I have to allow that traffic on Site-to-site outbound firewall or/and the layer 3 outbound firewall. Where do I have to configure that?

alemabrahao · ‎Jun 14 2024

If you don't want traffic from these devices to go through the tunnel, why don't you configure the VPN Exclusion Rules?

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Fabian1 · ‎Jun 16 2024

I did that...

My question is, on which firewall I have to do the rules for the traffic to Meraki now, on the site-to-site VPN firewall or the "normal" firewall. It's both on the Meraki MX

I'm going to call the support

Fabian1 · ‎Jun 17 2024

Answer from support:

When MX matches the local internet breakout rule for the traffic, it sends it outbound locally via WAN and not via Site-to-site VPN. This means that the outbound firewall rules will be considered (Security & SD-WAN → Firewall page), not the S2S VPN rules (Security & SD-WAN → Site-to-site VPN page).