Meraki

Community

I need to restrict Anyconnect VPN users to only be able to access certain IP addresses

Shukes
Comes here often
‎Jun 11 2025 5:15 AM
‎Jun 11 2025 5:15 AM

I need to restrict Anyconnect VPN users to only be able to access certain IP addresses

Hi

 

I need to restrict access for users that connect using the Anyconnect VPN to only IP addresses on the network that are critical

 

Can I restrict by AD group membership

 

If so is there a good document on how to set it up

 

Thanks

Chris

Labels:
0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 5:26 AM
‎Jun 11 2025 5:26 AM

You can use Layer 3 firewall rules on the Meraki MX to restrict Client VPN users' access to only specific subnets or IP addresses.

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 5:29 AM
‎Jun 11 2025 5:29 AM

You can also use Group policy to restrict, but not to a specific group, only to all users who connect to the VPN.

alemabrahao_0-1749644900511.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 11:46 AM
‎Jun 11 2025 11:46 AM

Oh wow, I never realised that the Meraki client VPN didn't have conditional access for client VPN users!  Isn't that one of the most common route to data breaches, when people have overly generous remote access?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 12:20 PM
‎Jun 11 2025 12:20 PM

If you are using RADIUS authentication, you can use the Filter-Id attribute.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RA...

If you are using SAML authentication, then you can pass a group.  I did a post about doing this ages ago.  You no longer need to email anyone.

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/245425/h...

 

You can also manually apply a group policy to a user once they have connected and you can see them.  The policy sticks for future VPN connections.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 12:28 PM
‎Jun 11 2025 12:28 PM

I did think that it had to be possible!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to PhilipDAth
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 12:33 PM
‎Jun 11 2025 12:33 PM

I see that Philip cut me to the chase, as always! 😄

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to PhilipDAth
Shukes
Comes here often
‎Jun 12 2025 3:50 PM
‎Jun 12 2025 3:50 PM

Hi Phillip ,your answer looks the closest to what we want .  We are using RADIUS with anyconnect and also DUO MFA.   Does this Filter ID only allow us to just use the same policy for everyone on the VPN  .  How can I assign some VPN users to  groups that then  allow different policies on the meraki to control access based on the group.  The documentation just appears to allow you set one for the filter ID attribute.  I may be missing something on how to do this  Thanks Chris

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jun 11 2025 12:30 PM
‎Jun 11 2025 12:30 PM

You can open a case with Meraki Support, and have them enable SAML Authentication with Group Policy for Anyconnect.

Then you can create Group Policies and assign them to users, per group membership in Entra ID (or other Cloud AD that supports SAML). 

In the Group Policy you would then define L3 ACLs which would allow or deny access to specific IP addresses or subnets. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.