Meraki

Community

Client VPN restriction and Permit Gmail only

Solved
charles07
Getting noticed
‎Dec 9 2019 2:13 AM
‎Dec 9 2019 2:13 AM

Client VPN restriction and Permit Gmail only

Hi,

Can someone please help on achieving below two in Meraki MX;

1. How to restrict users from client VPN to certain LAN subnet
2. Permit only Gmail and block all other mail providers

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2019 2:27 AM
‎Dec 9 2019 2:27 AM

Its a bit painfull.

 

You need to log in once as your client VPN users.  Then you can apply a group policy to them.  You can read about creating group policies here:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

You will probably want to use L3 rules, and FQDN's for gmail.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

And you'll need to add a default deny rule.

 

 

If you aren't used to doing this - you are taking on a lot.  You might be better off finding a local Cisco Meraki partner in your area for help.

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2019 2:27 AM
‎Dec 9 2019 2:27 AM

Its a bit painfull.

 

You need to log in once as your client VPN users.  Then you can apply a group policy to them.  You can read about creating group policies here:

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

You will probably want to use L3 rules, and FQDN's for gmail.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support 

 

And you'll need to add a default deny rule.

 

 

If you aren't used to doing this - you are taking on a lot.  You might be better off finding a local Cisco Meraki partner in your area for help.

In response to PhilipDAth
charles07
Getting noticed
‎Dec 10 2019 12:06 AM
‎Dec 10 2019 12:06 AM

Thank you @PhilipDAth 

For Gmail exemptions, all URLs had to be added I understand. if it's for o365, they have bunch of IP and URL. Some other firewalls have application white-listing where in you can exempt o365 alone.

 

Regarding client VPN restriction, user IP can change based on DHCP. It's not practical to assign Group policy in this case.

 

From the client list, is there any option to add IP address? Currently, meraki provides only option to add MAC address.

0 Kudos
In response to charles07
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 10 2019 12:08 AM
‎Dec 10 2019 12:08 AM

>Regarding client VPN restriction, user IP can change based on DHCP

 

For client VPN the group policy is assign based on the username, not the IP address.

0 Kudos
In response to PhilipDAth
charles07
Getting noticed
‎Dec 10 2019 12:16 AM
‎Dec 10 2019 12:16 AM

>>For client VPN the group policy is assign based on the username, not the IP address.

 

Can that be done prior before users logs in. I understand users has to login, then from Network > Clients apply the group policy.

Are you referring to the same?

0 Kudos
In response to PhilipDAth
charles07
Getting noticed
‎Dec 29 2019 9:07 PM
‎Dec 29 2019 9:07 PM

>>For client VPN the group policy is assign based on the username, not the IP address.

Can u plz provide steps to set policy for client VPN user. As far as I understand, clientVPN list shows users, it's IP address.
Once a policy is applied, it gets applied to IP address.
0 Kudos
In response to charles07
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 30 2019 12:32 PM
‎Dec 30 2019 12:32 PM

@charles07 just VPN in as the user.  After about a minute you should see the VPN connected user appear under Network-Wide/Clients.  Then go apply the group policy to that client.

 

Unlike other clients, it gets applied to the client VPN user, not their IP address.

SoCalRacer
Kind of a big deal
‎Dec 9 2019 8:29 AM
‎Dec 9 2019 8:29 AM

You might try the settings that were recommended in a group policy to test so you don't affect production users/devices.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.