Meraki

Community

Access a Non-Meraki site to site IPsec VPN from AnyConnect connection

Solved
Bobcheese2
Here to help
3 weeks ago
3 weeks ago

Access a Non-Meraki site to site IPsec VPN from AnyConnect connection

Hi Everyone, I was wondering if anyone knows if an MX will allow an AnyConnect user to route over a site to site VPN to a non-Meraki peer? Example user VPN's into an MX using AnyConnect, there is a 3rd party service linked via S2S VPN from that MX. Would Meraki allow the VPN user to route to that service?

0 Kudos
1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I believe it does work if the remote peer also includes the secure client vpn range into the security association.  Also make sure in the VPN settings you include the vpn subnet.

View solution in original post

8 Replies 8
Bobcheese2
Here to help
3 weeks ago
3 weeks ago

I found this article where someone says they've got it working but never detailed how. However, most replies seem to indicate that it isnt possible. Ideally would be great to get confirmation 

 

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-Clients-can-t-access-Non-Meraki-peer-Site...

0 Kudos
In response to Bobcheese2
stevejames5091
New here
2 weeks ago
2 weeks ago

@Bobcheese2 wrote:

I found this article where someone says they've got it working but never detailed how. However, most replies seem to indicate that it isnt possible. Ideally would be great to get confirmation 

 

:https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-Clients-can-t-access-Non-Meraki-peer-Site...

You should directly ask the person who have done this, jimmyt234 is saying that he has done for multiple customers. So, here's your guide, you can consult him directly and get your query sorted out.

0 Kudos
In response to stevejames5091
Bobcheese2
Here to help
2 weeks ago
2 weeks ago

That would then defeat the object of this being a support forum wouldn't it? The idea is we discuss these in a open topic so they can be reviewed by others in the future. 

GIdenJoe
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I believe it does work if the remote peer also includes the secure client vpn range into the security association.  Also make sure in the VPN settings you include the vpn subnet.

In response to GIdenJoe
jimmyt234
Head in the Cloud
3 weeks ago
3 weeks ago

I will add some confidence to this and say it 100% works - we have done it on multiple customers.

alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Theoretically it shouldn't work, but have you tried declaring the Anyconnect network as traffic of interest on the peer side?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Bobcheese2
Here to help
2 weeks ago
2 weeks ago

Thanks for responses. I can confirm this works, enabling the VPN Subnet under VPN Settings -> Local Networks as well as the far end adding the subnet for the site-to-site config. Had a few teething issues but its unclear if these are anything to do with this specifically or not yet.

Bobcheese2
Here to help
2 weeks ago
2 weeks ago

Ok adding to this, seems like when someone is connected to the AnyConnect the customer loses connection to the far end of the S2S VPN locally. AnyConnect user doesn't seem to lose connectivity to the S2S VPN at all just local LAN (Wi-Fi) users. Can see lots of logs of DNS failure on the Wi-Fi during that time, DNS server is at the far end of the S2S VPN. Anyone seen anything like this before?   

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.