Meraki

Community

I want to restrict 1 VPN user to 2 IP addresses How can I do this?

Chris_Watkins
Here to help
‎Mar 8 2022 11:20 AM
‎Mar 8 2022 11:20 AM

I want to restrict 1 VPN user to 2 IP addresses How can I do this?

We replaced our Cisco ASA with a MX provided & supported by our ISP.  for multiple reasons.
The ASA had 1 VPN account for our HVAC vendor that was restricted to 2 IP addresses.
Now I can't seem to get anyone at our ISP to even acknowledge my requests to do this, basically telling me its my problem and restrict them thru Active Directory permissions.  
We are authenticating the VPN with AD, however these 2 IP addresses are PLC's and do not talk Active Directory.
Mostly pleased with the MX, but not very happy that I have to tell the HVAC people they're out of luck.
No way am I giving them full network access.
Any Ideas?

0 Kudos
8 Replies 8
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 8 2022 11:28 AM
‎Mar 8 2022 11:28 AM

you mean this?

 

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
Chris_Watkins
Here to help
‎Mar 8 2022 11:50 AM
‎Mar 8 2022 11:50 AM

Hi rymiles, I believe that is what I want, will take me a bit to read thru it.   Thanks.

0 Kudos
In response to Ryan_Miles
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 8 2022 12:26 PM
‎Mar 8 2022 12:26 PM

Another solution.  If you use the Cisco AnyConnect client (I'm assuming you are using the Meraki VPN client built into windows at the moment), and you authentication to AD using RADIUS (NPS can do this on Windows server), then you can have NPS send the Filter-Id attribute to dynamically restricting users.

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Group_Policies_with_RADIUS_Filter... 

 

Note that AnyConnect is an additional cost (you need to buy the licences), but it is quite cheap (IMHO).

 

ps. AnyConnect is a million times better.

In response to PhilipDAth
Chris_Watkins
Here to help
‎Mar 14 2022 5:49 AM
‎Mar 14 2022 5:49 AM

Has something changed?
We were using AnyConnect and RADIUS when we switched to the Meraki and were told that AnyConnect was not supported. 

0 Kudos
In response to Chris_Watkins
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 14 2022 12:15 PM
‎Mar 14 2022 12:15 PM

These are the instructions for configuring AnyConnect on Meraki MX.

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance 

 

It works great.

0 Kudos
In response to Ryan_Miles
Chris_Watkins
Here to help
‎Mar 14 2022 5:56 AM
‎Mar 14 2022 5:56 AM

I am going to try to do this myself, but it Seems I am getting conflicting information.

Spectrum HVAC User 2.png

0 Kudos
In response to Chris_Watkins
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 14 2022 12:17 PM
‎Mar 14 2022 12:17 PM

You can restrict access of a VPN user by applying a group policy to the VPN user, and putting whatever layer 3 firewall rules you want in there.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 8 2022 12:23 PM
‎Mar 8 2022 12:23 PM

Do other users also use client VPN?  If so, the above approach probably wont work (it affects all client VPN users).

 

What you can do though is create a group policy (perhaps called client-vpn-hvac).  In that add the firewall rules to say what they can access (don't forget to put a deny all at the end).  Then go to the Network-Wide/Clients list, and find their VPN connection (add in the username column if you haven't got it already turned on).  Then assign the group policy to that connection.  It will stick for all future connections as well.

Then the restriction will only apply to that one VPN user.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.