Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Add static route to allow VPN users to connect to their workstations

Solved
Roey1984
Building a reputation
‎May 27 2023 1:27 AM
‎May 27 2023 1:27 AM

Add static route to allow VPN users to connect to their workstations

Hello

 

I configured the Meraki VPN for our users.

The VPN subnet is: 192.168.120.1/24

Client's workstations subnet is: 192.168.110.1/24

 

Once they connect successfully to the VPN, they are unable to reach their workstations (Routing issue, it seems)

 

Do I need to add a Static Route in the MX?

Attached is a picture of what I need to configure; I want to ensure I`m configuring it correctly.

Thank you!chrome_nJ8oLUKvul.png

Labels:
0 Kudos
1 Accepted Solution
In response to Roey1984
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2023 8:53 AM
‎May 28 2023 8:53 AM

The routing will work no matter if it's full tunnel or not, and no, there's no need to create routes on the workstation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

7 Replies 7
Brash
Kind of a big deal
Kind of a big deal
‎May 27 2023 2:12 AM
‎May 27 2023 2:12 AM

Adding the route you provided the screenshot of is telling the MX that in order to reach the VPN subnet, it should send traffic to the client workstation subnet, which from my understanding is not what you're trying to achieve.

 

Essentially, the MX needs to know how to reach the workstation subnet (Eg. Has a vlan interface for that subnet, or a static route of how to get there).

Similarly, the default gateway of the workstation subnet needs a route to know that it can get to the VPN subnet via the MX.

In response to Brash
Roey1984
Building a reputation
‎May 27 2023 3:10 AM
‎May 27 2023 3:10 AM

Hey Brash

Thank you for your reply.

 

All Workstations reside in the 192.168.100.x subnet (VLAN 1)

Once a client connects from home, he gets an IP from subnet 192.168.110.x.

 

I understand that my configuration isn't correct.

I also don't have any dedicated VLAN for the VPN (Under Routing); I only have the default one.

Do I need to add here the VPN subnet? or it`s enough for the "Client VPN" page to configure it?

 

Adding pictures to show my current configuration

 

chrome_l7njdUGuor.pngchrome_vcaBUHVvZW.png

0 Kudos
In response to Roey1984
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 27 2023 4:14 AM
‎May 27 2023 4:14 AM

If the MX is the gateway of this network there is no need to create statistical routes, I think you are complicating things.

 

Have you already checked that the Windows firewall is not blocking remote access?

 

Try disabling Window firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Roey1984
Building a reputation
‎May 28 2023 7:29 AM
‎May 28 2023 7:29 AM

Thanks, Alemabrahao

 

It seems that users need to add a route on their personal device before connecting to the VPN.

But, they want to connect to the end station only ( and not route all traffic through the VPN)

 

According to Meraki:

"Cisco Meraki Client VPN only establishes full-tunnel connections, which will direct all client traffic through the VPN to the configured MX. As such, any content filtering, firewall or traffic shaping rules will apply to the VPN client's outbound traffic."

 

 

Do you think I can enable Split tunnel in my MX75?

 

0 Kudos
In response to Roey1984
ww
Kind of a big deal
Kind of a big deal
‎May 28 2023 7:49 AM
‎May 28 2023 7:49 AM

Its not a mx setting but a client configuration.

@PhilipDAth  made a script that could help

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

In response to Roey1984
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2023 8:53 AM
‎May 28 2023 8:53 AM

The routing will work no matter if it's full tunnel or not, and no, there's no need to create routes on the workstation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to Roey1984
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 28 2023 12:41 PM
‎May 28 2023 12:41 PM

>It seems that users need to add a route on their personal device

 

Windows, no.  Apple Mac, yes.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.