Meraki

Community

MX AnyConnect/IPSec Client VPN - Restricting access

antuk
Just browsing
‎Nov 8 2022 3:19 PM
‎Nov 8 2022 3:19 PM

MX AnyConnect/IPSec Client VPN - Restricting access

Hi all,

 

Im trying to block certain IP ranges from being able to hit my VPN tunnels, Ive tried L7 firewall rules and they just get ignored.

 

Does anyone know how to configure inbound firewall rules for ports not handled by Port Forwarding/NAT rules

 

Thanks,

Anthony

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 8 2022 3:52 PM
‎Nov 8 2022 3:52 PM

For IPsec, you can configure layer 3 rules, for Anyconnect you can allow just the networks that clients need to access.

 

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

alemabrahao_0-1667951538701.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
antuk
Just browsing
‎Nov 9 2022 4:16 AM
‎Nov 9 2022 4:16 AM

Thanks, I was after a block list not an allow list - however Ive managed to do what I wanted by getting support to enable the inbound firewall rules config

0 Kudos
In response to antuk
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 9 2022 4:33 AM
‎Nov 9 2022 4:33 AM

It's not to allow, it's just to define what subnets users can access through the VPN. you can use the outbound rules to achieve it, look the article that I sent to you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
antuk
Just browsing
‎Nov 9 2022 7:55 AM
‎Nov 9 2022 7:55 AM

thats not quite what i was trying to achieve. Basically lots of random address are probing my open ports, so im trying to restrict what external IPs can access my VPN port (pre authentication), so I wanted access to inbound firewall rules. After speaking to support they have enabled the option and now I can block at will.

0 Kudos
In response to antuk
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 9 2022 7:59 AM
‎Nov 9 2022 7:59 AM

👍

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.