Meraki

Community

Create multiple Client VPN for Multiple Network

Simsima
Just browsing
‎Sep 2 2020 10:44 AM
‎Sep 2 2020 10:44 AM

Create multiple Client VPN for Multiple Network

Hello Comunity, 

 

I was wondering if it is possible to create multiple client VPN for different Tenants or Networks on Meraki.

 

I've two Network Lab for two different Tenant and a Firewall Meraki MX84,  I would like to create two client VPN each one can reach only it's own Lab Network without access to the other's network.

 

Thank you in advance.

 

0 Kudos
7 Replies 7
ww
Kind of a big deal
Kind of a big deal
‎Sep 2 2020 11:23 AM
‎Sep 2 2020 11:23 AM

You can only have 1 vpn subnet.

Do you mean you have 1 mx and 2 vlans?

You can do some fw rules using group policies, read this https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/t...

 

Or do you have 2 networks with 2 mx?

 

0 Kudos
In response to ww
Simsima
Just browsing
‎Sep 2 2020 11:51 AM
‎Sep 2 2020 11:51 AM

Hello ww, 

 

thank you for your answer, Yes I've one MX and two different networks or site (each network has its VLANs), if the Meraki can let me create only one Subnet Client VPN, how can differentiate that a client can access to one network and not the other?

0 Kudos
In response to Simsima
ww
Kind of a big deal
Kind of a big deal
‎Sep 2 2020 12:00 PM
‎Sep 2 2020 12:00 PM

Using different group policies for different users. Its mentioned  here and also the limitations  https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/t...

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin...

In response to ww
Simsima
Just browsing
‎Sep 3 2020 6:15 AM
‎Sep 3 2020 6:15 AM

Hello ww, 

 

Thank you for the link, I tried to create a Group Policy to limit the access and I applied it to a VPN Client, but it seems that it doesn't work.  it ignores the policy.

Furthermore, I read carefully the following post that you shared https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/t...

 

and it says that it's not possible to apply the Group policies for the Client VPN,

please find attached the comment...Is there anyway we can do that?

"

 Fady
 
Meraki Employee
 
‎08-12-2018 11:14 PM
Re: Feature Request: Apply group policies to Client VPN

Hi @MillerJ

 

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements. 

 

"

 

 

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 2 2020 11:38 AM
‎Sep 2 2020 11:38 AM

Actually, the possibilities are highly limited here. The traffic from VPN-clients is subject to the L3 firewall, but for your use-case, you would need differentiated access. And as we can not apply group-policies via RADIUS for VPN-users as it is possible with wireless users, all clients are treated the same.

I really hope for more possibilities with the coming AnyConnect support.

 

How do I solve this problem? Nearly all my Meraki implementations have an additional ASA for all Client- and external S2S VPNs. A cheap Firepower 1010 is very often enough here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
Simsima
Just browsing
‎Sep 2 2020 11:55 AM
‎Sep 2 2020 11:55 AM

Hello  Karstenl,

 

Thank you for your reply, I'm new on Meraki's world, but do you think that I can add a virtual FMC and FTD that could be managed by Meraki Cloud?

 

0 Kudos
In response to Simsima
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 2 2020 12:00 PM
‎Sep 2 2020 12:00 PM

Not the way that you have an FMC and FTP managed by the Meraki-Cloud. For having *one* cloud-managed solution, the Cisco Defense Orchestrator (CDO) is the Cisco solution. But it is likely that it does not fit your needs (yet). But you still can manage the FTD/ASA locally. Yes, I also do not really like that, but for now, it is IMO the only usable way.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.