Unable to restrict AnyConnect VPN clients from accessing LAN or VLAN resources

Solved
KenLux
Here to help

Unable to restrict AnyConnect VPN clients from accessing LAN or VLAN resources

I'm trying to do something that this link says I should be able to do - restrict VPN clients from accessing certain resources on a local VLAN.

https://documentation.meraki.com/MX/Client_VPN/Restricting_Client_VPN_access_using_Layer_3_firewall_...

 

This documentation appears to be incorrect. At least for AnyConnect VPN clients. I have applied L3 firewall rules to deny all access from my VPN subnet to a VLAN subnet and to deny all access from the VLAN subnet to my VPN subnet. Yet I can access a web server on the VLAN subnet from a client on the VPN. I also tried blocking access from a single VPN IP address to a single server (and Exchange server). I can send and receive email through the "blocked" exchange server.

 

Other people have posted that these rules should be applied on the site-to-site VPN page, and I have tired that, but can still VPN clients have full access to everything on the LAN no matter what L3 firewall rules are in place.

 

Using an MX84 (18.107.2) and AnyConnect VPN clients.

 

Is this a known security flaw? It seems like a giant hole.

 

Has anyone been able to block access to any LAN resources from an AnyConnect VPN client?

1 Accepted Solution
KenLux
Here to help

So I was able to get it to work using a L3 rule in a Group Policy.

 

I really wish the documentation didn't say to use settings that do absolutely nothing.

 

Now if I could get the MX to sop relaying pings.

View solution in original post

3 Replies 3
KenLux
Here to help

So I was able to get it to work using a L3 rule in a Group Policy.

 

I really wish the documentation didn't say to use settings that do absolutely nothing.

 

Now if I could get the MX to sop relaying pings.

Ryan_Miles
Meraki Employee
Meraki Employee

Just tested it the regular L3 FW rule works here. Source object has both my L2TP and AnyConnect VPN subnets. You can see the hit counter.

 

My config

 

Screenshot 2024-02-03 at 08.47.05.png

 

And pings from my AnyConnect VPN connected client (first blocking then allowing when I changed the FW rule to allow).

 

IMG_0780.PNG

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
harmankardon
Building a reputation

Can you clarify, did you try implementing the L3 firewall rules on just the site-to-site VPN page, or did you also try on the Firewall page? What you are trying to accomplish should be done on the Firewall page under Layer 3 Outbound rules (assuming the VLANs you are trying to restrict access to are local to the MX that is being used at the AnyConnect server). 

 

And perhaps you can share with us the rules you are applying. 

Get notified when there are additional replies to this discussion.