cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN restriction and Permit Gmail only

SOLVED
Highlighted
Here to help

Client VPN restriction and Permit Gmail only

Hi,

Can someone please help on achieving below two in Meraki MX;

1. How to restrict users from client VPN to certain LAN subnet
2. Permit only Gmail and block all other mail providers

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Client VPN restriction and Permit Gmail only

Its a bit painfull.

 

You need to log in once as your client VPN users.  Then you can apply a group policy to them.  You can read about creating group policies here:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

You will probably want to use L3 rules, and FQDN's for gmail.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

And you'll need to add a default deny rule.

 

 

If you aren't used to doing this - you are taking on a lot.  You might be better off finding a local Cisco Meraki partner in your area for help.

View solution in original post

7 REPLIES 7
Highlighted
Kind of a big deal

Re: Client VPN restriction and Permit Gmail only

Its a bit painfull.

 

You need to log in once as your client VPN users.  Then you can apply a group policy to them.  You can read about creating group policies here:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

You will probably want to use L3 rules, and FQDN's for gmail.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

And you'll need to add a default deny rule.

 

 

If you aren't used to doing this - you are taking on a lot.  You might be better off finding a local Cisco Meraki partner in your area for help.

View solution in original post

Highlighted
Kind of a big deal

Re: Client VPN restriction and Permit Gmail only

You might try the settings that were recommended in a group policy to test so you don't affect production users/devices.

Highlighted
Here to help

Re: Client VPN restriction and Permit Gmail only

Thank you @PhilipDAth 

For Gmail exemptions, all URLs had to be added I understand. if it's for o365, they have bunch of IP and URL. Some other firewalls have application white-listing where in you can exempt o365 alone.

 

Regarding client VPN restriction, user IP can change based on DHCP. It's not practical to assign Group policy in this case.

 

From the client list, is there any option to add IP address? Currently, meraki provides only option to add MAC address.

Highlighted
Kind of a big deal

Re: Client VPN restriction and Permit Gmail only

>Regarding client VPN restriction, user IP can change based on DHCP

 

For client VPN the group policy is assign based on the username, not the IP address.

Here to help

Re: Client VPN restriction and Permit Gmail only

>>For client VPN the group policy is assign based on the username, not the IP address.

 

Can that be done prior before users logs in. I understand users has to login, then from Network > Clients apply the group policy.

Are you referring to the same?

Highlighted
Here to help

Re: Client VPN restriction and Permit Gmail only

>>For client VPN the group policy is assign based on the username, not the IP address.

Can u plz provide steps to set policy for client VPN user. As far as I understand, clientVPN list shows users, it's IP address.
Once a policy is applied, it gets applied to IP address.
Highlighted
Kind of a big deal

Re: Client VPN restriction and Permit Gmail only

@charles07 just VPN in as the user.  After about a minute you should see the VPN connected user appear under Network-Wide/Clients.  Then go apply the group policy to that client.

 

Unlike other clients, it gets applied to the client VPN user, not their IP address.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.