Meraki

Community

2 separate Client VPNs to connect to 2 separate VLANs/Networks

Tom_M
New here
‎Mar 27 2024 12:59 PM
‎Mar 27 2024 12:59 PM

2 separate Client VPNs to connect to 2 separate VLANs/Networks

Hello all,

I have 2 companies that exist in the same building using the same MX100

We need to separate them so that they don't have access to each other's resources.

I configured 2 separate VLANs and have the 2 networks isolated from there on, however I need a solution for remote access.

 

I'm trying to configure an MX100 to do either 1 of 2 things:

 

1 . Have 2 separate 'client VPN' configs so that we can only access the company to which you belong.

 

Problem: doesn't look like this is supported.

 

 

2. Placed a MX68 behind the MX100.  Use the 'client VPN' from the MX100 for one company, and the 'client VPN' from the MX68 for the second company.

 

Problem: I'm not able to connect to the vpn from the MX68 behind the MX100

-I have NATed one of the MX100 public ip address' to the WAN address of the MX68

 

Some guidance would be appreciated.

Thanks,

Tom_M

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 27 2024 1:46 PM
‎Mar 27 2024 1:46 PM

You can use another solution like OpenVPN.

 

https://openvpn.net/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Tom_M
New here
‎Mar 27 2024 1:54 PM
‎Mar 27 2024 1:54 PM

Which appliance would OpenVPN run on? 

I'm looking at staying in the same ecosystem if possible, it would be easier to manage.

0 Kudos
In response to Tom_M
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 27 2024 1:58 PM
‎Mar 27 2024 1:58 PM

Unfortunately not, you need another solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Tom_M
New here
‎Mar 27 2024 2:00 PM
‎Mar 27 2024 2:00 PM

Would you know why the client vpn on the mx 68 behind the mx100 isn't working?

0 Kudos
In response to Tom_M
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 27 2024 3:24 PM
‎Mar 27 2024 3:24 PM

Because the client VPN does not work behind NAT.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2024 5:00 PM
‎Mar 27 2024 5:00 PM

I'll give you a couple of options.  I'm assuming you are using the Microsoft client VPN.

 

Configure a split tunnel connection on the clients.  For each client, only include their subnet.  You can do this using this tool to deploy the client VPN connection on the machines using powershell.

https://ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

Another option is to use group policy (one for each client).  Create a firewall rule only allowing them access to their respective VLAN.  Wait for them to VPN in one, and then apply the group policy to their connection.  It will stick after that.

 

 

Another option is using RADIUS (such as Windows NPS).  You can return the Filter-Id attribute to automatically select the correct group policy.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA... 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.