Client VPN Access Restriction to some LAN Subnets.

Solved
Atags
Getting noticed

Client VPN Access Restriction to some LAN Subnets.

Hi,

I am trying to achieve the following;

I would like certain users of client VPN only certain access to our internal VLANs.

 

So I have a MX acting as my firewall connected to my Cisco CORE switch and Access switches downstream to our internal VLANs (LANs).

If I understand correctly, you can only have 1 subnet for client VPN access in right?

So based on that, is there a way to limit certain users to access only certain internal subnets only?

Example:

Bob after using client VPN can only access VLAN #11 and be denied access to all other internal VLANs

But Allice using client VPN can access all internal VLANs.

 

If not from above, I don't think FW rules or Cisco ACLs would work because you can only have 1 client VPN Subnet, so restricting 1 VLAN would affect everyone connecting remotely i would believe? 

 

If not, how can I achieve this from Meraki MX firewall solution? or with Cisco switches if known as last resort?

 

Thank you,

 

1 Accepted Solution
Bruce
Kind of a big deal

@Atags , you're on the right track, and what you've configured is correct if you're trying to block access to 10.1.11.1/32. You apply the Group Policy just like any other under Network-wide -> Clients - this is what I mean by applying it to the device (probably should've said client). You should see a Client VPN appear in the client list like this (this is a snip from my Dashboard):

Bruce_0-1611132404319.png

This is the bit that may be new on the MX15 firmware. You can see the 'VPN' symbol on the far left, it will be green for an active connection, and the MAC address comes from the VPN virtual adapter on the client (so even if the client device connects to your office network sometimes, such as a laptop, it will still appear as another client when on the VPN as the MAC address from the VPN virtual adapter will be different to the Ethernet MAC). Click on the MAC address and it will show you the 'client' and then you should be able to apply a Group Policy.

Bruce_1-1611132893298.png

You can also find the MAC address (and click on it) from the Event Log to, here's an example of my successful connection, showing the MAC address and the client ID.

View solution in original post

12 Replies 12
KarstenI
Kind of a big deal
Kind of a big deal

This is one of the use cases where I always place a Cisco ASA (or FTD nowadays) in addition to the MX into the network. Just for VPN.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Atags
Getting noticed

Thanks Karsten. So I am guessing by your response that the answer to my questions is no then?

 

Thank you

Bruce
Kind of a big deal

@Atags what Karsten states is correct. What you can try though is using Group Policy applied to the devices - if you've only got a handful of clients it may be a practical solution, but if you've got hundreds, probably not. If you create a Group Policy you can configure a custom Layer 3 firewall for traffic coming in from the Client VPN devices to which the policy is applied, this custom policy should include all your normal rules (since it overrides them) and also any specific rules to block/allow access to specific subnets. (I quickly tried this on MX15.38 firmware and it does work, but I suggest you do some more thorough testing).

 

The gotcha is that there is no way to dynamically apply the policy to a device, hence why I said it would only be manageable for a handful of devices. You can't dynamically assign Group Policy using AD based on user credentials for Client VPN either, so you really are limited to manual device assignment. 

 

You may be able to delve into a bit of automation with scripting and the API. Events appear to be logged that you could use to associate a username with a device MAC address (or you may be able to get this from the API - haven't looked), and then you could potentially assign a Group Policy based on that. Just some thoughts, needs some more rounding out.

 

 

Atags
Getting noticed

@Bruce  Thanks for explanation and time. Not sure if doing this right or docs on this but

I tried creating a group policy in the Network Wide tab and then Group Policies.

But it looks like there is no option to specify any security usage.

Also not sure where to apply that group policy too on the actual VPN user, as this is also not an option either under the Client VPN and users section.

Also when you say Client VPN devices, are you referring to their actual PC/WAN IP at home they remote from?

I just noticed I am running MX version: 14.42 so not sure if newer versions (15+) have these options you were stating?

 

I attached a photo

 

Capture100.PNG

Bruce
Kind of a big deal

@Atags , you're on the right track, and what you've configured is correct if you're trying to block access to 10.1.11.1/32. You apply the Group Policy just like any other under Network-wide -> Clients - this is what I mean by applying it to the device (probably should've said client). You should see a Client VPN appear in the client list like this (this is a snip from my Dashboard):

Bruce_0-1611132404319.png

This is the bit that may be new on the MX15 firmware. You can see the 'VPN' symbol on the far left, it will be green for an active connection, and the MAC address comes from the VPN virtual adapter on the client (so even if the client device connects to your office network sometimes, such as a laptop, it will still appear as another client when on the VPN as the MAC address from the VPN virtual adapter will be different to the Ethernet MAC). Click on the MAC address and it will show you the 'client' and then you should be able to apply a Group Policy.

Bruce_1-1611132893298.png

You can also find the MAC address (and click on it) from the Event Log to, here's an example of my successful connection, showing the MAC address and the client ID.

Atags
Getting noticed

@Bruce  again thank you. Question, so because I have to go to Network-wide -> Clients, does that mean that the user first needs to be created and then actively logged in, in real time in order to apply the policy to them, and see the VPN symbol?

And does the policy get applied to only his actual device like a PC?

Or his/her user name I create in the Client VPN section?

If its just the PC, then if he/she logs in from another device, this would have to be manually re-done again right?

If its the username, then it wont matter, meaning they can log in from any device as long as its under that username and credentials right?

 

One other thing, Is the MX15 firmware Beta versions only?

The latest one that comes up in my Dashboard for my MX100 is only the MX14.53 version.

 

 

Thanks!

Bruce
Kind of a big deal

Yes, the MX15 software is beta only (for the moment).

 

Yes the user needs to login first as the policy is applied to the client, so its easiest if the client appears in the client list - and yes, if these use multiple clients then the policy will need to be applied to each one. Hence why it would not be manageable with a large number of users or client.

 

Its something to consider, but it may not work for your environment.

Atags
Getting noticed

@Bruce Thank you again! So I upgraded to the latest Beta 15 version (Although I think 14 would have worked as well), and I have it working through the Group policy and L3 FW rules. I tested with an VPN account. 

My only question left is, does this group policy only get applied to the PC he/she logs in from?

Or

Does this group policy get applied to the username, so that if this username VPNs in from another machine wherever, the same group policy and rules will apply?

Bruce
Kind of a big deal

Unfortunately it only gets applied to the device, there is no way to apply it on a per user basis.

 

If you’re feeling adventurous then there isn’t any reason why you couldn’t write a script and use the APIs to apply a Group Policy to devices based on the user - I believe all the information is available through the API. The only issue will be how instantaneously the Group Policy can be applied - you may end up having to use polling, which depending on the interval may not be fast enough. It comes down to how much effort you want to put in the achieve an outcome.

Atags
Getting noticed

@Bruce Ok great thank you very much for all your responses and help! I never worked with APIs before yet and this environment is small so I think I will just keep as is for now. 

Again thank you!

 

KarstenI
Kind of a big deal
Kind of a big deal

After this lengthy discussion, do you understand why I just place another VPN gateway to the network? 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Atags
Getting noticed

Yes thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels