Hello all,
I have 2 companies that exist in the same building using the same MX100
We need to separate them so that they don't have access to each other's resources.
I configured 2 separate VLANs and have the 2 networks isolated from there on, however I need a solution for remote access.
I'm trying to configure an MX100 to do either 1 of 2 things:
1 . Have 2 separate 'client VPN' configs so that we can only access the company to which you belong.
Problem: doesn't look like this is supported.
2. Placed a MX68 behind the MX100. Use the 'client VPN' from the MX100 for one company, and the 'client VPN' from the MX68 for the second company.
Problem: I'm not able to connect to the vpn from the MX68 behind the MX100
-I have NATed one of the MX100 public ip address' to the WAN address of the MX68
Some guidance would be appreciated.
Thanks,
Tom_M
You can use another solution like OpenVPN.
Which appliance would OpenVPN run on?
I'm looking at staying in the same ecosystem if possible, it would be easier to manage.
Unfortunately not, you need another solution.
Would you know why the client vpn on the mx 68 behind the mx100 isn't working?
Because the client VPN does not work behind NAT.
I'll give you a couple of options. I'm assuming you are using the Microsoft client VPN.
Configure a split tunnel connection on the clients. For each client, only include their subnet. You can do this using this tool to deploy the client VPN connection on the machines using powershell.
https://ifm.net.nz/cookbooks/meraki-client-vpn.html
Another option is to use group policy (one for each client). Create a firewall rule only allowing them access to their respective VLAN. Wait for them to VPN in one, and then apply the group policy to their connection. It will stick after that.
Another option is using RADIUS (such as Windows NPS). You can return the Filter-Id attribute to automatically select the correct group policy.