Meraki

WarrenG

We have a client with multiple sites that are connected together using the site-to-site VPN. Users in the remote offices are still also using the client VPN (AnyConnect) in order to connect to the main office, which we suspect may be causing network performance issues. Is there any way to create a rule or policy to prevent them from using the client VPN while they are connected to the network at any of the remote offices?

ww

You could block the client vpn url/ip+port in the vpn firewall (and maybe L3 fw if needed)

WarrenG

Thanks, can you clarify what you mean by the "vpn firewall" - I only see the L3 firewall in the portal. How would I access this vpn firewall that you are referring to? Thanks!

ww

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

WarrenG

Got it, I was looking under client VPN but this makes more sense. Thanks!

PhilipDAth

There are several ways of solving this.

I think I would use the AnyConnect default group policy option, and put in there any firewall rules to control what just the AnyConnect users can access.

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Client...

If you use this approach, you can later extend it to support per-user group policy to control what different groups of users can access.

WarrenG

Thanks. What I ended up doing was to create a conditional access policy in M365 to block the AnyConnect VPN connections if they were coming from the static IP of either of the remote offices. Seemed like that was probably the simplest option, but we'll find out tomorrow if that worked or not. Thanks for the info, I will check out this latest link for my own additional knowledge too.

Meraki

Community

Block client VPN over site-to-site VPN tunnel

Block client VPN over site-to-site VPN tunnel