Home > Security and SD-WAN > Site-to-site VPN > Site-to-site VPN Firewall Rule Behavior

Site-to-site VPN Firewall Rule Behavior

Overview

Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. Similar to other Meraki firewall options, this firewall is stateful and will only block traffic if it does not match an existing flow.

These firewall rules will apply to all MX networks in the organization that participate in site-to-site VPN.

Creating Firewall Rules

To create a firewall rule, follow the steps below.

  1. Navigate to Security & SD-WAN > Configure > Site-to-site VPN.

  2. Select Add a rule in the Site-to-site outbound firewall under the Organization-wide settings section of the page.
    org-wide settings outbound rules.PNG

  3. Fill in the desired parameters for the rule

  4. Select Save changes.

 

Note - Inbound Firewall Rules

Note that there is currently a section for inbound firewall rules displayed in the Meraki dashboard. However, inbound firewall rules cannot be configured, and this is an error which will be resolved in a future dashboard update. Any rules saved in this field will not be preserved and will have no effect.

inbound_firewall_rules_error.png

Considerations for VPN Firewall Rules

When configuring VPN Firewall rules, it is important to remember that traffic should be stopped as close to the originating client device as possible. This cuts down on traffic over the VPN tunnel and will result in the best network performance. Because of this, site-to-site firewall rules are applied only to outgoing traffic. As such, the MX cannot block VPN traffic initiated by non-Meraki peers. 

 

The image below demonstrates a misconfigured site-to-site firewall rule. Since site-to-site firewall rules only apply to outbound traffic this rule will never be applied as the source subnet is not a LAN subnet on the MX:

d30aa9b1-b6db-475b-8479-481c7351c183

 

The following image demonstrates a site to site firewall rule that will be applied correctly. Traffic from the 10.0.1.0/24 subnet will not be able to reach 10.0.2.0/24 subnet since the 10.0.1.0/24 subnet is a LAN subnet on the MX.15abbaa0-386a-4f07-9421-b38b2f8ba60b

 


When traffic passing through the MX matches a site-to-site VPN route, VPN firewall rules are applied in descending order. VPN traffic is only subject to the site-to-site firewall rules and is never subject to Layer 3 firewall rules.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1399

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community