Client VPN - Internet issue

ZDonaldson
Getting noticed

Client VPN - Internet issue

All, 

 

I ran into an issue with vpn clients not having access to the internet when connected.  We are not using the split-tunnel configuration, so internet access was via the MX device.

 

To fix the issue, I found that I needed to disable two outbound firewall rules that I had created to prevent proxy vpn activity from bypassing our content filters.

 

in one rule I denied outbound TCP 1723 and on another rule I denied outbound UPD 500,1701,4500

 

keeping in mind these are outbound rules and that client vpn connections are created inbound only, it seems to me this would lean towards being a bug-type of situation. I wouldn't expect the firewall rules to apply to inbound vpn traffic until after it has left the tunnel and is actually being sent out to the internet, at which point the vpn protocols are no longer in play.

 

anyone have any thoughts or ideas on this setup?

Zane D - IT Manager in Sin City NV
5 Replies 5
BrandonS
Kind of a big deal

This is working as designed and as it should as far as I can tell.  If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client.

 

Maybe you could make another rule that allows everything for the VPN subnet?  That way you can still have the firewall protection you intended for the rest of the network.

 

- Ex community all-star (⌐⊙_⊙)
ZDonaldson
Getting noticed


@BrandonS wrote:

This is working as designed and as it should as far as I can tell.  If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client.

 


Yes, true, but the outbound internet traffic is no longer encrypted as part of a tunnel on its way out, which is when it should hit the firewall rules.  at that point, the ports that are being blocked should not be involved in the outbound traffic.

 

 

Zane D - IT Manager in Sin City NV
BrandonS
Kind of a big deal

I see what you mean now.

- Ex community all-star (⌐⊙_⊙)
GiacomoS
Meraki Employee
Meraki Employee

Hey @ZDonaldson,

 

The firewall rules you created, are they from the Security Appliance > Firewall page? 

 

Could it be that the problem is not on the traffic outgoing to the internet, but in the response back to the client? In that case it may potentially (sort of) make sense, assuming the MX is generating a new flow when it's going from itself to the VPN client as it would use port 500/4500. 

If that's blocked, traffic going back to the client will be stopped on its way to it.

 

Could this make sense for your situation?

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
emmasmith
Just browsing

Sometimes this issue caused by something blocking the connection to our servers. Before you begin troubleshooting a blocked connection please check the following: Verify that your internet connection is working whilst disconnected from the VPN. If after all this you facing issue then, I recommend visiting https://www.applemacsupportnumbers.com/apple-customer-support/  this site. 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels