Static IP for Meraki MX VPN Cisco Secure Client

mrozsypal
Here to help

Static IP for Meraki MX VPN Cisco Secure Client

I am looking for info regarding a method to set clients connecting over VPN with Cisco Secure Client via Meraki MX to static IP's.

 

I believe there is a method with Meraki MDM or with radius/ISE but I am just looking to see if anyone knows another option.

 

Any info or feedback would be helpful.

Thank you

5 Replies 5
CptnCrnch
Kind of a big deal
Kind of a big deal

Filterung by IP is so 90s 😉

 

How about using Group Policies for specific Clients?

mrozsypal
Here to help

I am using group policy via Meraki MX already but maybe I am doing it wrong?

 

The intention by setting the static IP is so that an on premise endpoint will only talk to that one client over VPN.

 

So in this case I can solve this issue by making every client on the VPN not able to talk to said endpoint over group policy but I have to set this rule for every client in group policy to not talk to the endpoint.

 

The static IP for the VPN client would just make it so I have to change the group policy on the endpoint and then the single VPN client so they can allow traffic to each other via their static IP's.

 

Hopefully that makes sense.

Please let me know I can try to explain more.

 

 

CptnCrnch
Kind of a big deal
Kind of a big deal

Sorry, but I still didn‘t get the point. What do you mean by 

So in this case I can solve this issue by making every client on the VPN not able to talk to said endpoint over group policy but I have to set this rule for every client in group policy to not talk to the endpoint.“?

 

you don‘t have to do it for every client themselves. That‘s what Group Policy is meant for?!

 

if you want to make specific policies for every client, just go for dedicated Group Policy for every client. These could be dynamically assigned by ISE e.g.

mrozsypal
Here to help

Ok let me try to explain better.

 

I do not have ISE since its an additional cost I would get this if I could but right now I am just using Meraki MX.

 

The aim is just to isolate the traffic from one endpoint/endpoints with a group policy applied so that it only goes to one VPN client/clients with a group policy also applied.

 

I cannot isolate the traffic because the group policy only supports IP addresses.

Any traffic I allow from the endpoints group policy has to go to the entire IP subnet for VPN clients.

This is because I would have to change the specific IP addresses allowed for the endpoint group policy each time the VPN clients IP's change since they randomly do so upon VPN connection.

 

If I could just say allow traffic going to these group policy tagged clients then it would work easy without static IP.

 

As far as I have seen there is no feature for that for Meraki MX VPN clients.

jimmyt234
Building a reputation

Probably not quite what you're after, and a bit of a hack: but if you've got more than 1 MX in the network then you can configure the VPN client differently on each one and get the specific users only to connect to the relevant MX.

Get notified when there are additional replies to this discussion.