Home > Security Appliances > Client VPN > Restricting Client VPN access using Layer 3 firewall rules

Restricting Client VPN access using Layer 3 firewall rules

Table of contents
No headers

Client VPN users may access all subnets within the network by default. In order to control or restrict access for Client VPN users, firewall rules should be implemented.

 

Layer 3 firewall rules are a powerful tool for permitting and denying Client VPN traffic. Although Client VPN users are considered part of the LAN, network administrators may see a need for limiting overall access. Firewall rules can be used to limit access for VPN users to specific addresses/ports or ranges of addresses. Such as allowing access to most information, but denying access to sensitive resources to VPN users.

 

In the following example, we will be creating a Client VPN subnet and configuring rules that will permit and deny access based a several parameters.

 

 

  • Configuring Client VPN subnet
  • Configuring Addressing & VLANs subnet(s)
  • Configuring Firewall Rules

  

Configuring Client VPN subnet

 

The Client VPN subnet is configured via Configure > Client VPN. Take note of this network address as it will be used to implement Firewall rules for controlling traffic related to that subnet. In the following scenario, our Client VPN subnet will be (172.16.1.0/24)

 

 

 

Configuring Addressing & VLANs subnet(s)

 

Subnets local to the MX are configured via Configure > Addressing & VLANs. Below is an example depicting an MX that has VLANs enabled. Two subnets are present: (192.168.10.0/24) and (192.168.20.0/24). Both of these subnets will be accessible by users who establish a successful Client VPN session.

Additionally, subnets made known to the MX via Static LAN routes will also be available to the Client VPN subnet. These subnets are also configured via Configure > Addressing & VLANs

 

As shown below, the non-local subnet is 10.0.1.0/24, and will be pointed to a router with the address of 192.168.10.2.

 

 

 

Configuring Firewall Rules

 

Navigating to Configure > Firewall, note that the default settings permit all outbound traffic. This allows all subnets to communicate, including the client VPN network. Outbound rules also apply to Inter-VLAN Routing.

 

 

 

Outbound rules should be implemented to control which subnets Client VPN users may access. These rules are processed numerically, like an ACL, starting with Rule #1. Once a rule is matched, no further rules will be processed. Thus, the Rule number is essential.

  

Example 1

 

In the following example, the entire Client VPN subnet (172.16.1.0/24) will only have access to Subnet 1 and Subnet 2. The Client VPN subnet will not have access to Non-local Subnet 1.

 

Only a single rule denying all traffic from the Client VPN subnet to the non-local subnet is needed since there is an implicit "Allow" rule at the end that permits all other outbound traffic.

Example 2

 

In this next example, VPN clients are permitted to access HTTPS (secure web) and DNS servers on a LAN subnet, but all other access is denied.

There are many combinations of firewall rules available for configuration. As a general rule of thumb, configure rules that apply to a specific port/destination first, before configuring a rule that applies to the subnet as a whole. Please be sure to test and verify all firewall rules along the way to ensure proper access.

You must to post a comment.
Last modified
15:08, 11 Jul 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community