Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

2 separate Client VPNs to connect to 2 separate VLANs/Networks

Tom_M
New here
a month ago
a month ago

2 separate Client VPNs to connect to 2 separate VLANs/Networks

Hello all,

I have 2 companies that exist in the same building using the same MX100

We need to separate them so that they don't have access to each other's resources.

I configured 2 separate VLANs and have the 2 networks isolated from there on, however I need a solution for remote access.

 

I'm trying to configure an MX100 to do either 1 of 2 things:

 

1 . Have 2 separate 'client VPN' configs so that we can only access the company to which you belong.

 

Problem: doesn't look like this is supported.

 

 

2. Placed a MX68 behind the MX100.  Use the 'client VPN' from the MX100 for one company, and the 'client VPN' from the MX68 for the second company.

 

Problem: I'm not able to connect to the vpn from the MX68 behind the MX100

-I have NATed one of the MX100 public ip address' to the WAN address of the MX68

 

Some guidance would be appreciated.

Thanks,

Tom_M

Labels:
0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

You can use another solution like OpenVPN.

 

https://openvpn.net/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Tom_M
New here
a month ago
a month ago

Which appliance would OpenVPN run on? 

I'm looking at staying in the same ecosystem if possible, it would be easier to manage.

0 Kudos
Subscribe
In response to Tom_M
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Unfortunately not, you need another solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Tom_M
New here
a month ago
a month ago

Would you know why the client vpn on the mx 68 behind the mx100 isn't working?

0 Kudos
Subscribe
In response to Tom_M
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Because the client VPN does not work behind NAT.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
a month ago
a month ago

I'll give you a couple of options.  I'm assuming you are using the Microsoft client VPN.

 

Configure a split tunnel connection on the clients.  For each client, only include their subnet.  You can do this using this tool to deploy the client VPN connection on the machines using powershell.

https://ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

Another option is to use group policy (one for each client).  Create a firewall rule only allowing them access to their respective VLAN.  Wait for them to VPN in one, and then apply the group policy to their connection.  It will stick after that.

 

 

Another option is using RADIUS (such as Windows NPS).  You can return the Filter-Id attribute to automatically select the correct group policy.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA... 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.