Limiting client VPN connections by their IP address

SOLVED
rafi
Comes here often

Limiting client VPN connections by their IP address

Hello there~

 

I am looking for some help on a couple of things that our auditors recommended we do with our client VPN connections.  One of them is attempting to filter each client by their IP address.  Is this possible on a MX100? how can I further protect the client VPN connections from the attack surface standpoint? Much appreciated. 

 

Rafael~

1 ACCEPTED SOLUTION
Brash
Kind of a big deal
Kind of a big deal

As @Bruce said, filtering incoming client VPN connections based on whitelisted IP's doesn't really make sense for a modern workplace. If the client is at a known location, they most likely will already be inside the corporate network. If they're in a different location, their IP address is going to be variable depending on how they connect (home internet, hotspot etc.)

 

You're much better off securing your VPN by enforcing strong authentication and restricting what authenticated users can access via firewall rules and group policy.

 

To answer your other question, Anyconnect is a long running Cisco VPN platform which can run on the MX. It provides some additional features and is generally considered better than the Meraki client VPN.

View solution in original post

4 REPLIES 4
Bruce
Kind of a big deal

What do you mean my filter client VPN connections by IP address? Are you trying to restrict the IP addresses that can connect to the MX? In which case, how are you going to determine the IP addresses since they’re likely to be dynamic at the remote end?

 

If you mean filter what they can access within your network then you can use Group Policy, depending on whether you’re using L2TP or AnyConnect will determine how well this can be implemented (AnyConnect offers the better solution).

rafi
Comes here often

Thanks for responding.  I was not aware they would be dynamic... I have my own hot spot from work but not everyone was given one.  So, there would be no way to set that up since the IP changes on the users end? 

 

AnyConnect I just noticed on our MX is this a new offering by Meraki? I have it disabled and using the IPSec. 

Brash
Kind of a big deal
Kind of a big deal

As @Bruce said, filtering incoming client VPN connections based on whitelisted IP's doesn't really make sense for a modern workplace. If the client is at a known location, they most likely will already be inside the corporate network. If they're in a different location, their IP address is going to be variable depending on how they connect (home internet, hotspot etc.)

 

You're much better off securing your VPN by enforcing strong authentication and restricting what authenticated users can access via firewall rules and group policy.

 

To answer your other question, Anyconnect is a long running Cisco VPN platform which can run on the MX. It provides some additional features and is generally considered better than the Meraki client VPN.

rafi
Comes here often

Thanks so much for the detail on your response.  I will be looking into other restrictions as recommended.  Much appreciated. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels