Add static route to allow VPN users to connect to their workstations

Solved
Roey1984
Building a reputation

Add static route to allow VPN users to connect to their workstations

Hello

 

I configured the Meraki VPN for our users.

The VPN subnet is: 192.168.120.1/24

Client's workstations subnet is: 192.168.110.1/24

 

Once they connect successfully to the VPN, they are unable to reach their workstations (Routing issue, it seems)

 

Do I need to add a Static Route in the MX?

Attached is a picture of what I need to configure; I want to ensure I`m configuring it correctly.

Thank you!chrome_nJ8oLUKvul.png

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

The routing will work no matter if it's full tunnel or not, and no, there's no need to create routes on the workstation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal

Adding the route you provided the screenshot of is telling the MX that in order to reach the VPN subnet, it should send traffic to the client workstation subnet, which from my understanding is not what you're trying to achieve.

 

Essentially, the MX needs to know how to reach the workstation subnet (Eg. Has a vlan interface for that subnet, or a static route of how to get there).

Similarly, the default gateway of the workstation subnet needs a route to know that it can get to the VPN subnet via the MX.

Roey1984
Building a reputation

Hey Brash

Thank you for your reply.

 

All Workstations reside in the 192.168.100.x subnet (VLAN 1)

Once a client connects from home, he gets an IP from subnet 192.168.110.x.

 

I understand that my configuration isn't correct.

I also don't have any dedicated VLAN for the VPN (Under Routing); I only have the default one.

Do I need to add here the VPN subnet? or it`s enough for the "Client VPN" page to configure it?

 

Adding pictures to show my current configuration

 

chrome_l7njdUGuor.pngchrome_vcaBUHVvZW.png

alemabrahao
Kind of a big deal
Kind of a big deal

If the MX is the gateway of this network there is no need to create statistical routes, I think you are complicating things.

 

Have you already checked that the Windows firewall is not blocking remote access?

 

Try disabling Window firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Roey1984
Building a reputation

Thanks, Alemabrahao

 

It seems that users need to add a route on their personal device before connecting to the VPN.

But, they want to connect to the end station only ( and not route all traffic through the VPN)

 

According to Meraki:

"Cisco Meraki Client VPN only establishes full-tunnel connections, which will direct all client traffic through the VPN to the configured MX. As such, any content filtering, firewall or traffic shaping rules will apply to the VPN client's outbound traffic."

 

 

Do you think I can enable Split tunnel in my MX75?

 

ww
Kind of a big deal
Kind of a big deal

Its not a mx setting but a client configuration.

@PhilipDAth  made a script that could help

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

alemabrahao
Kind of a big deal
Kind of a big deal

The routing will work no matter if it's full tunnel or not, and no, there's no need to create routes on the workstation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>It seems that users need to add a route on their personal device

 

Windows, no.  Apple Mac, yes.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels