cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN - Internet issue

Getting noticed

Client VPN - Internet issue

All, 

 

I ran into an issue with vpn clients not having access to the internet when connected.  We are not using the split-tunnel configuration, so internet access was via the MX device.

 

To fix the issue, I found that I needed to disable two outbound firewall rules that I had created to prevent proxy vpn activity from bypassing our content filters.

 

in one rule I denied outbound TCP 1723 and on another rule I denied outbound UPD 500,1701,4500

 

keeping in mind these are outbound rules and that client vpn connections are created inbound only, it seems to me this would lean towards being a bug-type of situation. I wouldn't expect the firewall rules to apply to inbound vpn traffic until after it has left the tunnel and is actually being sent out to the internet, at which point the vpn protocols are no longer in play.

 

anyone have any thoughts or ideas on this setup?

Zane D - IT Manager in Sin City NV
5 REPLIES 5
Head in the Cloud

Re: Client VPN - Internet issue

This is working as designed and as it should as far as I can tell.  If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client.

 

Maybe you could make another rule that allows everything for the VPN subnet?  That way you can still have the firewall protection you intended for the rest of the network.

 

Getting noticed

Re: Client VPN - Internet issue


@BrandonS wrote:

This is working as designed and as it should as far as I can tell.  If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client.

 


Yes, true, but the outbound internet traffic is no longer encrypted as part of a tunnel on its way out, which is when it should hit the firewall rules.  at that point, the ports that are being blocked should not be involved in the outbound traffic.

 

 

Zane D - IT Manager in Sin City NV
Head in the Cloud

Re: Client VPN - Internet issue

I see what you mean now.

Meraki Employee

Re: Client VPN - Internet issue

Hey @ZDonaldson,

 

The firewall rules you created, are they from the Security Appliance > Firewall page? 

 

Could it be that the problem is not on the traffic outgoing to the internet, but in the response back to the client? In that case it may potentially (sort of) make sense, assuming the MX is generating a new flow when it's going from itself to the VPN client as it would use port 500/4500. 

If that's blocked, traffic going back to the client will be stopped on its way to it.

 

Could this make sense for your situation?

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Just browsing

Re: Client VPN - Internet issue

Sometimes this issue caused by something blocking the connection to our servers. Before you begin troubleshooting a blocked connection please check the following: Verify that your internet connection is working whilst disconnected from the VPN. If after all this you facing issue then, I recommend visiting https://www.applemacsupportnumbers.com/apple-customer-support/  this site. 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.