MX AnyConnect/IPSec Client VPN - Restricting access

antuk
Just browsing

MX AnyConnect/IPSec Client VPN - Restricting access

Hi all,

 

Im trying to block certain IP ranges from being able to hit my VPN tunnels, Ive tried L7 firewall rules and they just get ignored.

 

Does anyone know how to configure inbound firewall rules for ports not handled by Port Forwarding/NAT rules

 

Thanks,

Anthony

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

For IPsec, you can configure layer 3 rules, for Anyconnect you can allow just the networks that clients need to access.

 

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

alemabrahao_0-1667951538701.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
antuk
Just browsing

Thanks, I was after a block list not an allow list - however Ive managed to do what I wanted by getting support to enable the inbound firewall rules config

alemabrahao
Kind of a big deal
Kind of a big deal

It's not to allow, it's just to define what subnets users can access through the VPN. you can use the outbound rules to achieve it, look the article that I sent to you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
antuk
Just browsing

thats not quite what i was trying to achieve. Basically lots of random address are probing my open ports, so im trying to restrict what external IPs can access my VPN port (pre authentication), so I wanted access to inbound firewall rules. After speaking to support they have enabled the option and now I can block at will.

alemabrahao
Kind of a big deal
Kind of a big deal

👍

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels