Meraki

Community

Firewall settings for guest network to enable VPN access to Meraki MX

WifiCable
Conversationalist
‎Apr 17 2019 3:34 AM
‎Apr 17 2019 3:34 AM

Firewall settings for guest network to enable VPN access to Meraki MX

We are currently migrating our network to Meraki.

We have several network segments (different vlans) at our location including one for guests.

This network is isolated from the other networks, only internet access is enabled.

I've done this in the firewall like this:

 

deny any protocol source any port <corp-nw> destination any protocol <guest-nw>

deny any protocol source any port <guest-nw> destination any protocol <corp-nw>

allow any protocol source any port <guest-nw> destination any portocol any destination

 

That works so far.

When I'm connected to the guest Network, I cannot establish a VPN connection to our Meraki Gateway.

 

I think I have to create a rule to allow that connection... Can anyone tell me how?

0 Kudos
5 Replies 5
MarcP
Kind of a big deal
‎Apr 17 2019 5:52 AM
‎Apr 17 2019 5:52 AM

Wireless - Firewall - Deny local LAN , for your Guest Wifi?

 

2019-04-17 14_51_12-Firewall & traffic shaping - Meraki Dashboard.png

0 Kudos
In response to MarcP
WifiCable
Conversationalist
‎Apr 17 2019 7:36 AM
‎Apr 17 2019 7:36 AM

I tried a little more. Port forwarding is working, sorry for that. I have only problems with VPN.

 

As I wrote the network seperation is not the problem. Also VPN from outside to corp lan works fine.

 

The problem is that I cannot establish this VPN connection when I'm inside the (local, Meraci-managed) guest network.

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2019 3:06 PM
‎Apr 17 2019 3:06 PM

I would doubt that you could VPN in from inside of the MX to the outside of the MX.  I don't think this is a valid config.

0 Kudos
In response to PhilipDAth
WifiCable
Conversationalist
‎Apr 18 2019 12:10 AM
‎Apr 18 2019 12:10 AM

Sure, from the network state it's not the best.

 

We have a larger number of mobile devices that connect to foreign public networks and our local guest network.

It would be helpful if the connection could work the same way.

0 Kudos
In response to WifiCable
DHAnderson
Head in the Cloud
‎Apr 20 2019 4:23 PM
‎Apr 20 2019 4:23 PM

I have setup VPNs on several firewalls and find that most cannot connect to the VPN from the LAN side.

 

I also have setup Routing and Remote Access on different Windows severs.  With that config, users could connect to the VPN from the LAN.

 

A different way to accomplish a Guest Network that has managed access to the LAN, would be to setup an Employee Guest SSID that uses RADIUS to your server for authentication. 

 

Dave Anderson
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.