Client VPN restriction and Permit Gmail only

Solved
charles07
Getting noticed

Client VPN restriction and Permit Gmail only

Hi,

Can someone please help on achieving below two in Meraki MX;

1. How to restrict users from client VPN to certain LAN subnet
2. Permit only Gmail and block all other mail providers

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Its a bit painfull.

 

You need to log in once as your client VPN users.  Then you can apply a group policy to them.  You can read about creating group policies here:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

You will probably want to use L3 rules, and FQDN's for gmail.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

And you'll need to add a default deny rule.

 

 

If you aren't used to doing this - you are taking on a lot.  You might be better off finding a local Cisco Meraki partner in your area for help.

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

Its a bit painfull.

 

You need to log in once as your client VPN users.  Then you can apply a group policy to them.  You can read about creating group policies here:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

You will probably want to use L3 rules, and FQDN's for gmail.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

And you'll need to add a default deny rule.

 

 

If you aren't used to doing this - you are taking on a lot.  You might be better off finding a local Cisco Meraki partner in your area for help.

charles07
Getting noticed

Thank you @PhilipDAth 

For Gmail exemptions, all URLs had to be added I understand. if it's for o365, they have bunch of IP and URL. Some other firewalls have application white-listing where in you can exempt o365 alone.

 

Regarding client VPN restriction, user IP can change based on DHCP. It's not practical to assign Group policy in this case.

 

From the client list, is there any option to add IP address? Currently, meraki provides only option to add MAC address.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Regarding client VPN restriction, user IP can change based on DHCP

 

For client VPN the group policy is assign based on the username, not the IP address.

charles07
Getting noticed

>>For client VPN the group policy is assign based on the username, not the IP address.

 

Can that be done prior before users logs in. I understand users has to login, then from Network > Clients apply the group policy.

Are you referring to the same?

charles07
Getting noticed

>>For client VPN the group policy is assign based on the username, not the IP address.

Can u plz provide steps to set policy for client VPN user. As far as I understand, clientVPN list shows users, it's IP address.
Once a policy is applied, it gets applied to IP address.
PhilipDAth
Kind of a big deal
Kind of a big deal

@charles07 just VPN in as the user.  After about a minute you should see the VPN connected user appear under Network-Wide/Clients.  Then go apply the group policy to that client.

 

Unlike other clients, it gets applied to the client VPN user, not their IP address.

SoCalRacer
Kind of a big deal

You might try the settings that were recommended in a group policy to test so you don't affect production users/devices.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels