cancel
Showing results for 
Search instead for 
Did you mean: 

MX64 Client VPN Configuration

SOLVED
Highlighted
Here to help

MX64 Client VPN Configuration

Hi All,

 

Hope you all are doing good.

 

I have Below Mentioned Queries,

 

1.  I have MX64 with advance security License on which I want to configure client VPN.

 

     Do i need to buy any additional licenses for this or advance sec license in enough?

     Also let me know pre-requisites for client VPN configuration, If there is any document available please share it.

 

2. I want to block all my users to go on internet except my boss and HR, How can i do this ?

    Also we have one website who's access i want to give all my users.

 

 

Please suggest.

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: MX64 Client VPN Configuration

Do i need to buy any additional licenses for this or advance sec license in enough?

No additional licenses are required for Client VPN access. You could connect as many Client VPN devices as you like until the box falls over, on either the enterprise or advanced security license.

 

Also let me know pre-requisites for client VPN configuration, If there is any document available please share it.

Basically any device which supports L2TP connections. 

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration

 

I want to block all my users to go on internet except my boss and HR, How can i do this ? Also we have one website who's access i want to give all my users.

There are multiple ways to do this, in all ways you will use Network Wide > Group Policies.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

Create some simple Layer 3 firewall rules allowing access to the RCF 1918 addresses, and the public IP of the one website you want to allow. Then block everything else. You could apply this to the entire user VLAN on the Addressing & VLAN page, and then manually apply a less restrictive policy to your boss and HR. 

If you didn't want to manually put HR and your boss's devices into the less restrictive policy, you can apply a policy based on a RADIUS response (if you're using Meraki wireless).

 

2 REPLIES 2
New here

Re: MX64 Client VPN Configuration

1. No additional licenses are needed for client VPN access. It is available by default with either license, Enterprise or Advanced Security.
See here for setup information: https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview
Meraki Employee

Re: MX64 Client VPN Configuration

Do i need to buy any additional licenses for this or advance sec license in enough?

No additional licenses are required for Client VPN access. You could connect as many Client VPN devices as you like until the box falls over, on either the enterprise or advanced security license.

 

Also let me know pre-requisites for client VPN configuration, If there is any document available please share it.

Basically any device which supports L2TP connections. 

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration

 

I want to block all my users to go on internet except my boss and HR, How can i do this ? Also we have one website who's access i want to give all my users.

There are multiple ways to do this, in all ways you will use Network Wide > Group Policies.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

Create some simple Layer 3 firewall rules allowing access to the RCF 1918 addresses, and the public IP of the one website you want to allow. Then block everything else. You could apply this to the entire user VLAN on the Addressing & VLAN page, and then manually apply a less restrictive policy to your boss and HR. 

If you didn't want to manually put HR and your boss's devices into the less restrictive policy, you can apply a policy based on a RADIUS response (if you're using Meraki wireless).

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.