Can I set the network subnet to ANY on MX Firewall VPN?

Snika
Getting noticed

Can I set the network subnet to ANY on MX Firewall VPN?

When set up an IPSEC VPN on the Cisco ASA, you can specify SUBNET as ANY.

Is this possible on the MX firewall?

I will to set a non-Meraki VPN.

VPNANYANY.png

4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal

Yes, you can do it with the help of a 0.0.0.0/0 static route pointing to the inside. But could you describe what you want to do? Likely, it won't work because of other VPN restrictions on the MX.

Snika
Getting noticed

MX vpn = A
non meraki vpn = B

I want to do ipsec vpn tunneling between a A vpn and a B vpn.
B vpn is not an ASA.
In B VPN setup, the remote subnet is Any and several subnets are routing through the tunnel.

As you know, 0.0.0.0 is routed to the WAN.
If I route 0.0.0.0 internally as you say, will the internet be possible?

Snika_0-1715068290954.png

Using the ASA as an example, what I want to do is set the Local Subnet to Any on the MX firewall.

Snika_0-1715069369016.png

 

MariaP8
Meraki Employee
Meraki Employee

To advertise a subnet over IPsec VPN go to Security & SD-WAN > Site to site VPN.  A "VPN settings" section will be there, then you will see the "local networks".

This section permits/restricts subnets to be advertised over AutoVPN and IPsec VPN. If the subnet is "disabled" it will not be able to access or use the VPN as it will not be advertised over VPN. If "enabled" that subnet will be advertised to AutoVPN and IPsec VPN peers.

 

If you want all your local subnets to be able to pass traffic through the IPsec tunnel, then enable all of them.

 

Local networks example: 

MariaP8_0-1715133834444.png

Only the default VLAN subnet of 192.168.128.1/24 is advertised over the IPsec tunnel since it's the only one that is "enabled". If I want 10.10.1.0/24 to be advertised to my IPsec VPN peer, then I will "enable" it. 

 

Do you need all of your traffic to go across the IPsec tunnel?

  • That's what adding a 0.0.0.0/0 in the private subnets of the Non-Meraki VPN peer configuration on the dashboard will do. It overrides the default route out the WAN interface. 

Will internet be possible with 0.0.0.0/0 with an IPsec peer?

  • Sure, if the tunnel establishes properly as the MX will be using your peer for internet connectivity. 

 

I am still a little lost on what you are trying to configure. 

Maria P | Network Support Engineer, Cisco Meraki
KarstenI
Kind of a big deal
Kind of a big deal

I still don't get what you want to achieve. Do you want to provide Internet for the other side through the MX?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels