Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. Similar to other Meraki firewall options, this firewall is stateful and will only block traffic if it does not match an existing flow.
These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN.
To create a firewall rule, follow the steps below.
Navigate to Configure > Site-to-site VPN.
Click Add a rule in the Site-to-site firewall under the Organization-wide settings section of the page.
Fill in the desired parameters for the rule
Click Save changes.
When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers.
The image below demonstrates a misconfigured site to site firewall rule. Since site to site firewall rules only apply to outbound traffic this rule will never be applied as the source subnet is not a LAN subnet on the MX:
The following image demonstrates a site to site firewall rule that will be applied correctly. Traffic from the 10.0.1.0/24 subnet will not be able to reach 10.0.2.0/24 subnet since the 10.0.1.0/24 subnet is a LAN subnet on the MX.
When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in order. VPN traffic is only subject to the site-to-site firewall rules, and it is never subject to Layer-3 firewall rules.