Meraki

Community

Client VPN not able to access local LAN

BeninChurchil
Here to help
‎Apr 28 2024 9:16 AM
‎Apr 28 2024 9:16 AM

Client VPN not able to access local LAN

Hi Experts,

I'm fairly new to Meraki products, So I configured Client VPN on MX67 Security Appliance VPN is working but not able to access local LAN, attached is the picture of both Client VPN & FIrewall page below, please point me what I'm doing wrong here ?

Local LAN Subnet: 192.168.1.0/24

Client VPN Subnet: 192.168.10.0/24

BeninChurchil_0-1714320708272.png

BeninChurchil_1-1714320923982.png

 

 

Labels:
0 Kudos
13 Replies 13
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 28 2024 9:33 AM
‎Apr 28 2024 9:33 AM

How did you test it, that you came to the conclusion that it doesn't work? Often enough it is the local firewall on the destination device that drops the traffic.

You can capture on the LAN side of the MX and look if you see the client originated traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
JonathanSwitch
Meraki Employee
Meraki Employee
‎Apr 28 2024 10:07 AM
‎Apr 28 2024 10:07 AM

I see that you have the DNS server setting set to use Google Public DNS. If you're attempting to reach internal resources via hostname, this will fail and you'll need to enter your internal DNS server.

Are you able to ping internal devices on the Local LAN via IP address?

In response to JonathanSwitch
BeninChurchil
Here to help
‎Apr 28 2024 10:39 AM
‎Apr 28 2024 10:39 AM

I tried setting up domain as DNS in the Client VPN still not working ? I can't ping to my Domain also ?

More over I found out I don't have a Default gateway for the VPN ? Why ?

BeninChurchil_0-1714325980965.png

 

0 Kudos
In response to BeninChurchil
JonathanSwitch
Meraki Employee
Meraki Employee
‎Apr 28 2024 10:53 AM
‎Apr 28 2024 10:53 AM

Are you attempting or plan to configure split tunneling on your end client?

Can you verify if you have the "use default gateway on remote network" checked or unchecked? See this KB on how to find the setting on the adapter if needed: https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN

If you're using MacOS, see the other option on that page, and let me know.

0 Kudos
In response to JonathanSwitch
BeninChurchil
Here to help
‎Apr 28 2024 11:01 AM
‎Apr 28 2024 11:01 AM

I'm running on Windows 11 Pro

BeninChurchil_0-1714327250105.png

It seems it is checked by default.

0 Kudos
BeninChurchil
Here to help
‎Apr 28 2024 10:42 AM
‎Apr 28 2024 10:42 AM

Should I create a static route ? from the VPN Subnet to local subnet ? 

0 Kudos
In response to BeninChurchil
JonathanSwitch
Meraki Employee
Meraki Employee
‎Apr 28 2024 11:34 AM
‎Apr 28 2024 11:34 AM

This is not needed. If you go to Network-Wide -> Packet Capture and take a packet capture on your MX's "LAN" interface, you'll notice that traffic from your client is traversing the VPN tunnel and being sent out on the LAN toward your DNS server, however, the DNS server is not responding. It is likely the firewall on the server that is dropping the traffic, but you'll need to investigate further as to why.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 28 2024 1:01 PM
‎Apr 28 2024 1:01 PM

Can you ping the LAN IP of the MX?

You'll only be able to access internal servers via IP and not name using this configuration.

Also internal servers may need a Windows Firewall rule created to allow remote access from client VPN users.

Also, this configuration won't work if the subnet that the servers are on happens to be the same as the subnet that the users are connecting from at home.

alemabrahao
Kind of a big deal
‎Apr 28 2024 2:32 PM
‎Apr 28 2024 2:32 PM

Have you enabled the VPN client subnet on SD-WAN?

 

Security & SD-WAN > Configure > Site-to-site VPN 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Apr 28 2024 3:02 PM
‎Apr 28 2024 3:02 PM

1000015277.jpg

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
BeninChurchil
Here to help
‎Apr 28 2024 4:37 PM
‎Apr 28 2024 4:37 PM

Hi All,

You guys were right, It is the domain controller that is not being able to connect because other devices like switches, gateway, access points were able to ping & https accessable. But my domain controller which is Windows Server 2022 Standard. Its not pinging nor the SMB UNC path is also not accessible even RDP as well not sure if this is blocked by the server or firewall ?

0 Kudos
In response to BeninChurchil
JonathanSwitch
Meraki Employee
Meraki Employee
‎Apr 28 2024 4:48 PM
‎Apr 28 2024 4:48 PM

I am most certain it is the server's OS firewall. I believe most Windows Servers block remote subnets by default for public profiles. You'll want to check the rules for the Window's Firewall on the server and adjust accordingly.

In response to JonathanSwitch
BeninChurchil
Here to help
‎Apr 28 2024 5:04 PM
‎Apr 28 2024 5:04 PM

Yes, I will dig in the Windows Firewall and then comeback and post once I find out..

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.