Meraki

Community

Can I specify rules that limit Client VPN traffic?

Solved
kdc
Here to help
‎Sep 30 2021 12:52 PM
‎Sep 30 2021 12:52 PM

Can I specify rules that limit Client VPN traffic?

We have work from home users connecting via Client VPN.  I would like to restrict Client VPN connections so that the only thing they can do is RDP to their desktop that is in the office.  Is there any way to configure rules on the MX to achieve this?

 

Of course, with every policy there has to be an exception.  We have some users with corporate laptops that connect to the Client VPN, and they should be allowed to have more access.  Is there any way that I can assign specific Client VPN IP to specific devices, and then assign alternate rules to those IP's?

 

Thanks

Labels:
0 Kudos
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
‎Sep 30 2021 1:22 PM
‎Sep 30 2021 1:22 PM

Should be possible when using anyconnect (beta)

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RADIUS_Filter...

 

For the ipsec vpn

https://community.meraki.com/t5/Security-SD-WAN/VPN-CLIENT-Policy/m-p/47016

View solution in original post

3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Sep 30 2021 1:22 PM
‎Sep 30 2021 1:22 PM

Should be possible when using anyconnect (beta)

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RADIUS_Filter...

 

For the ipsec vpn

https://community.meraki.com/t5/Security-SD-WAN/VPN-CLIENT-Policy/m-p/47016

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 30 2021 1:27 PM
‎Sep 30 2021 1:27 PM

When using the Microsoft VPN client to the MX (L2TP over IPSec) the only way is to assign group policies after they have connected once.  The group policy can contain firewall rules.  The group policy will stick each time they connect.

 

As mentioned by @ww , AnyConnect lets you define a default group policy, and if you are using RADIUS, you can configure a per user group policy as well.

Now that AnyConnect requires you to buy Cisco AnyConnect licences and be running MX16.  The 16.x beta firmware runs really well.

 

In fact, I prefer 16.x over the current stable 15.44.  I personally experience less issues with 16.12 than I do with 15.44 customers

In response to PhilipDAth
kdc
Here to help
‎Sep 30 2021 2:09 PM
‎Sep 30 2021 2:09 PM

Thanks for the confirmation.  We don't have AnyConnect licensing, so I will have to use the L2TP over IPSec option and manually assign the Group Policy.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.