Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inbound Layer 3 firewall rule to block traffic from a Non-Meraki peer

GoOn
Getting noticed
‎Oct 7 2021 9:52 AM
‎Oct 7 2021 9:52 AM

Inbound Layer 3 firewall rule to block traffic from a Non-Meraki peer

We have a VPN tunnel with a non-Meraki peer, with subnet 192.168.aaa.0/24.

I have to block a source ip address range to access one destination on my subnet (192.168.bbb.ccc/32).

Please note that I defined a VLAN with the subnet 192.168.bbb.0/24.

 

If I try insert the following rule on the firewall:

Deny  |  Any  |  192.168.aaa.0/24  | 192.168.bbb.ccc/32  |  Any  |  Some comment

I receive the following error:

  • The IP address range 192.168.aaa.0/24 does not apply to any configured local or VPN subnets.

So, how to filter them via Firewall policy, not Group policy?

 

Many thanks in advance!

0 Kudos
Subscribe
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Oct 7 2021 9:56 AM
‎Oct 7 2021 9:56 AM

For vpn traffic you need to use vpn firewall, but that does not work for incoming traffic from 3rd party vpn.

 

Only option is to use a group policy with stateless rules assigned to a vlan

0 Kudos
Subscribe
In response to ww
GoOn
Getting noticed
‎Oct 7 2021 12:22 PM
‎Oct 7 2021 12:22 PM

But on Group Policies you have the possibility to indicate the destination only, not the origin.

 

I think to have difficulties to understand "group policy with stateless rules assigned to a vlan", sorry!

0 Kudos
Subscribe
In response to GoOn
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 7 2021 12:41 PM
‎Oct 7 2021 12:41 PM

You apply a group policy to a specific host - so that is the origin.  The origin is the machine you apply the group policy to.

0 Kudos
Subscribe
In response to PhilipDAth
GoOn
Getting noticed
‎Oct 7 2021 12:48 PM
‎Oct 7 2021 12:48 PM

I want to avoid clients based on non-meraki peer can access my clients. Them are the origin.
 
 
 
So, I don't have those remote clients in my list, because the are on a non-meraki peer. 
 
I have only my clients in my list.
 
So, how can I block the remote ones to acces to mine?
0 Kudos
Subscribe
In response to GoOn
ww
Kind of a big deal
Kind of a big deal
‎Oct 7 2021 2:41 PM
‎Oct 7 2021 2:41 PM

With the group policy attached to vlan traffic will come in, but all returning traffic will be dropped.

0 Kudos
Subscribe
In response to ww
GoOn
Getting noticed
‎Oct 8 2021 2:21 AM
‎Oct 8 2021 2:21 AM

Yes, thanks. But I have to avoid that incoming traffic will come in!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.