Meraki

Community

Block Internet Access but Allow Auto VPN Communication on MX75

Solved
overblower
Here to help
Friday
Friday

Block Internet Access but Allow Auto VPN Communication on MX75

There is Auto VPN between the locations using MX75, and it works well.

 

I want the devices connected to the MX75 to not access the internet, but still be able to ping other locations.

 

How can I set this up?

Thank you in advance.

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Create a Group policy, then in the Layer 3 rules, create a rule allowing communication with the target subnet and a final rule denying everything.

Then apply it to the VLAN interface or directly to the clients.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Create a Group policy, then in the Layer 3 rules, create a rule allowing communication with the target subnet and a final rule denying everything.

Then apply it to the VLAN interface or directly to the clients.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
overblower
Here to help
Friday
Friday

failed. I have two locations, D1 and D2. They should connect to each other, but clients must not have internet access. SCADA programs talk across the two locations.

0 Kudos
In response to overblower
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Please share the rule that you have created.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to overblower
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Try some think like this.

 

alemabrahao_0-1759508932350.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
overblower
Here to help
Friday
Friday

D1: Security Appliance: 143.161.65.1/24

D2 Security Appliance: 143.161.64.1/24

overblower_0-1759512548085.png

 

0 Kudos
In response to overblower
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

alemabrahao_0-1759512631600.png

You need to specify the destination for Any.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to overblower
RWelch
Kind of a big deal
Kind of a big deal
Friday
Friday

Wouldn't your entries need to be adjusted?

D1: Security Appliance: 143.161.65.1/24 to 143.161.65.0/24 (subnet) or 143.161.65.1/32 specific device IP

D2 Security Appliance: 143.161.64.1/24 to 143.161.64.0/24 (subnet) or 143.161.64.1/32 specific device IP

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
overblower
Here to help
Friday
Friday

Done. 

By the way, here's the current network setup:

  • D1:

    • Security Appliance IP: 143.161.65.1

    • Client Subnet: 143.161.65.0/24

  • D2:

    • Security Appliance IP: 143.161.64.1

    • Client Subnet: 143.161.64.0/24

I have already created a group policy for D2.
As mentioned earlier, my goal is to block internet access for both D1 and D2 clients, while still allowing them to ping each other internally.

Current situation:
Clients in both D1 and D2 can access the internet and ping each other at the same time.

overblower_0-1759513026642.png

 


Now it is time to apply it to the VLAN interface ? And any screenshot or steps?

0 Kudos
In response to overblower
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Take a look at the link I sent you.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

alemabrahao_0-1759513212278.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
overblower
Here to help
Friday
Friday

The group policy is ready. We just need to apply it. We'll test it first over the weekend and then implement it. Thank you very much, @alemabrahao !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.