Meraki

Community

Static IP for Meraki MX VPN Cisco Secure Client

mrozsypal
Here to help
‎Feb 20 2024 11:49 AM
‎Feb 20 2024 11:49 AM

Static IP for Meraki MX VPN Cisco Secure Client

I am looking for info regarding a method to set clients connecting over VPN with Cisco Secure Client via Meraki MX to static IP's.

 

I believe there is a method with Meraki MDM or with radius/ISE but I am just looking to see if anyone knows another option.

 

Any info or feedback would be helpful.

Thank you

Labels:
0 Kudos
5 Replies 5
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 11:56 AM
‎Feb 20 2024 11:56 AM

Filterung by IP is so 90s 😉

 

How about using Group Policies for specific Clients?

In response to CptnCrnch
mrozsypal
Here to help
‎Feb 20 2024 12:09 PM
‎Feb 20 2024 12:09 PM

I am using group policy via Meraki MX already but maybe I am doing it wrong?

 

The intention by setting the static IP is so that an on premise endpoint will only talk to that one client over VPN.

 

So in this case I can solve this issue by making every client on the VPN not able to talk to said endpoint over group policy but I have to set this rule for every client in group policy to not talk to the endpoint.

 

The static IP for the VPN client would just make it so I have to change the group policy on the endpoint and then the single VPN client so they can allow traffic to each other via their static IP's.

 

Hopefully that makes sense.

Please let me know I can try to explain more.

 

 

0 Kudos
In response to mrozsypal
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 20 2024 12:47 PM
‎Feb 20 2024 12:47 PM

Sorry, but I still didn‘t get the point. What do you mean by 

So in this case I can solve this issue by making every client on the VPN not able to talk to said endpoint over group policy but I have to set this rule for every client in group policy to not talk to the endpoint.“?

 

you don‘t have to do it for every client themselves. That‘s what Group Policy is meant for?!

 

if you want to make specific policies for every client, just go for dedicated Group Policy for every client. These could be dynamically assigned by ISE e.g.

In response to CptnCrnch
mrozsypal
Here to help
‎Feb 22 2024 11:46 AM
‎Feb 22 2024 11:46 AM

Ok let me try to explain better.

 

I do not have ISE since its an additional cost I would get this if I could but right now I am just using Meraki MX.

 

The aim is just to isolate the traffic from one endpoint/endpoints with a group policy applied so that it only goes to one VPN client/clients with a group policy also applied.

 

I cannot isolate the traffic because the group policy only supports IP addresses.

Any traffic I allow from the endpoints group policy has to go to the entire IP subnet for VPN clients.

This is because I would have to change the specific IP addresses allowed for the endpoint group policy each time the VPN clients IP's change since they randomly do so upon VPN connection.

 

If I could just say allow traffic going to these group policy tagged clients then it would work easy without static IP.

 

As far as I have seen there is no feature for that for Meraki MX VPN clients.

0 Kudos
jimmyt234
Building a reputation
‎Feb 23 2024 2:18 AM
‎Feb 23 2024 2:18 AM

Probably not quite what you're after, and a bit of a hack: but if you've got more than 1 MX in the network then you can configure the VPN client differently on each one and get the specific users only to connect to the relevant MX.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.