Meraki

Community

VPN Client - Static IP

Solved
SL
New here
‎Mar 18 2019 10:00 PM
‎Mar 18 2019 10:00 PM

VPN Client - Static IP

Hi,

 

I'm planning to deploy a MX100 to replace our firewall / vpn concertrator and I have a question about the vpn client.

 

For example - the client VPN subnet on the MX is 192.168.10.0/24, I want to:

Allow 192.168.10.0/25 to access dmz subnet

Deny 192.168.10.128/25 to access dmz subnet

 

The issue is the MX is giving out dynamic IP for each vpn connection and I can't control them from accessing the dmz subnet.

 

Is that possible to assign a specific IP for each vpn user?

 

Thanks.

 

Sam

0 Kudos
1 Accepted Solution
BrechtSchamp
Kind of a big deal
‎Mar 18 2019 11:10 PM
‎Mar 18 2019 11:10 PM

I'm afraid there's no way to control which addresses are assigned to who. Not unless you put in two separate MXs.

 

I know that clients connecting to VPN do show up in the clients list and you could assign a group policy to them with their access rights. The problem is that I'm not sure if those entries are the same everytime they connect to the network. The name of their entries seems to be a MAC-address but I'm not sure how it's generated.

 

If you have a lot of clients this would become problematic anyway because there's a limit to how many clients you can manually assign group policies to: 1000.

 

Client VPN funcionality on the MX needs some work... I know anyconnect support is planned, definitely get your question in over a "make a wish" too. It makes sense to have such a feature (role-based access for client VPN) and could perhaps be added when they overhaul the client VPN functionality.

View solution in original post

3 Replies 3
BrechtSchamp
Kind of a big deal
‎Mar 18 2019 11:10 PM
‎Mar 18 2019 11:10 PM

I'm afraid there's no way to control which addresses are assigned to who. Not unless you put in two separate MXs.

 

I know that clients connecting to VPN do show up in the clients list and you could assign a group policy to them with their access rights. The problem is that I'm not sure if those entries are the same everytime they connect to the network. The name of their entries seems to be a MAC-address but I'm not sure how it's generated.

 

If you have a lot of clients this would become problematic anyway because there's a limit to how many clients you can manually assign group policies to: 1000.

 

Client VPN funcionality on the MX needs some work... I know anyconnect support is planned, definitely get your question in over a "make a wish" too. It makes sense to have such a feature (role-based access for client VPN) and could perhaps be added when they overhaul the client VPN functionality.

In response to BrechtSchamp
SL
New here
‎Mar 18 2019 11:59 PM
‎Mar 18 2019 11:59 PM

Thanks BrechtSchamp.

 

Group policy might be the only way for now but it will get messy and hard to manage in long run. 😞

 

In this case, I've to keep my current vpn concentrator, it's too bad that MX doesn't support this vpn client functionality.

 

Thanks again and I will "make a wish" over to Meraki.

 

 

0 Kudos
JohnDire
New here
‎Mar 22 2019 6:04 AM
‎Mar 22 2019 6:04 AM

I tried several vpn services. I used Sahrzad when I was in UAE to unblock Skype from my hotel and access blocked sites. My friend who lives in China now uses VeePN. It works good to unblock Youtube, facebook, google and others. Now I am using VeePN too. Today there are many good vpn providers. All depends on your needs.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.