Create multiple Client VPN for Multiple Network

Simsima
Just browsing

Create multiple Client VPN for Multiple Network

Hello Comunity, 

 

I was wondering if it is possible to create multiple client VPN for different Tenants or Networks on Meraki.

 

I've two Network Lab for two different Tenant and a Firewall Meraki MX84,  I would like to create two client VPN each one can reach only it's own Lab Network without access to the other's network.

 

Thank you in advance.

 

7 REPLIES 7
ww
Kind of a big deal
Kind of a big deal

You can only have 1 vpn subnet.

Do you mean you have 1 mx and 2 vlans?

You can do some fw rules using group policies, read this https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/t...

 

Or do you have 2 networks with 2 mx?

 

Simsima
Just browsing

Hello ww, 

 

thank you for your answer, Yes I've one MX and two different networks or site (each network has its VLANs), if the Meraki can let me create only one Subnet Client VPN, how can differentiate that a client can access to one network and not the other?

Simsima
Just browsing

Hello ww, 

 

Thank you for the link, I tried to create a Group Policy to limit the access and I applied it to a VPN Client, but it seems that it doesn't work.  it ignores the policy.

Furthermore, I read carefully the following post that you shared https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/t...

 

and it says that it's not possible to apply the Group policies for the Client VPN,

please find attached the comment...Is there anyway we can do that?

"

 Fady
 
Meraki Employee
Re: Feature Request: Apply group policies to Client VPN

Hi @MillerJ

 

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements. 

 

"

 

 

KarstenI
Kind of a big deal
Kind of a big deal

Actually, the possibilities are highly limited here. The traffic from VPN-clients is subject to the L3 firewall, but for your use-case, you would need differentiated access. And as we can not apply group-policies via RADIUS for VPN-users as it is possible with wireless users, all clients are treated the same.

I really hope for more possibilities with the coming AnyConnect support.

 

How do I solve this problem? Nearly all my Meraki implementations have an additional ASA for all Client- and external S2S VPNs. A cheap Firepower 1010 is very often enough here.

Hello  Karstenl,

 

Thank you for your reply, I'm new on Meraki's world, but do you think that I can add a virtual FMC and FTD that could be managed by Meraki Cloud?

 

KarstenI
Kind of a big deal
Kind of a big deal

Not the way that you have an FMC and FTP managed by the Meraki-Cloud. For having *one* cloud-managed solution, the Cisco Defense Orchestrator (CDO) is the Cisco solution. But it is likely that it does not fit your needs (yet). But you still can manage the FTD/ASA locally. Yes, I also do not really like that, but for now, it is IMO the only usable way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.