Meraki

Community

Client VPN using static route

Solved
leadtheway
Building a reputation
‎Oct 31 2019 10:31 AM
‎Oct 31 2019 10:31 AM

Client VPN using static route

Have Client VPN  thats using meraki cloud for authentication and DHCP.  On the MX thats doing the client VPN, theres a static route that users there on the local LAN need to use to reach another subnet for business application thats managed by 3rd party.. that works fine. But client vpn user can access that local LAN fine, but can't access that business app subnet.  Is there a trick to it?

0 Kudos
1 Accepted Solution
Nash
Kind of a big deal
‎Oct 31 2019 11:07 AM
‎Oct 31 2019 11:07 AM

Is that static route written to allow traffic from the client VPN? Does it send all traffic intended for VendorSubnet to that subnet?

Does the vendor have a route back to your client VPN subnet? If not, they'll need to add it. Otherwise their equipment doesn't know how to get back to you.

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

8 Replies 8
Nash
Kind of a big deal
‎Oct 31 2019 11:07 AM
‎Oct 31 2019 11:07 AM

Is that static route written to allow traffic from the client VPN? Does it send all traffic intended for VendorSubnet to that subnet?

Does the vendor have a route back to your client VPN subnet? If not, they'll need to add it. Otherwise their equipment doesn't know how to get back to you.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
leadtheway
Building a reputation
‎Oct 31 2019 11:08 AM
‎Oct 31 2019 11:08 AM

yeah thats exactly what I am thinking too..I've reached out to them and am having them make sure there is a route back for the client vpn subnet.   Wasn't sure if i was missing something on our end in regards to that client vpn subnet

0 Kudos
In response to leadtheway
Nash
Kind of a big deal
‎Oct 31 2019 11:15 AM
‎Oct 31 2019 11:15 AM

Double-checked config at a client where we do this.

 

Your static route should be fine unless you've got a weird ACL thing going on somewhere.

 

So I'd bet money it's your vendor. I hope they get back to you soon.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to leadtheway
leadtheway
Building a reputation
‎Oct 31 2019 12:09 PM
‎Oct 31 2019 12:09 PM

so I can ping the other side of the route (gateway ) now since they put route back in, but can't ping the server i need..I'm thinking maybe an ACL on their side..heres what its looking like

 

Tracing route to 10.209.95.84 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 50 ms * * 10.226.156.240
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * *

0 Kudos
In response to leadtheway
Nash
Kind of a big deal
‎Oct 31 2019 12:16 PM
‎Oct 31 2019 12:16 PM

You may be right! Good luck. I usually have to provide the list of subnets that need access, then patiently poke until the changes all get made.

 

On your original working subnet, are you able to ping that target server? If not and you know what port you're using... In Windows, you can use Test-NetConnection to initiate a TCP handshake.

 

So if it's on port 443, for that IP, you'd do: Test-Netconnection -Comp 10.209.95.84 -port 443 -info detailed

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
leadtheway
Building a reputation
‎Oct 31 2019 12:20 PM
‎Oct 31 2019 12:20 PM

yeah I can reach from the LAN subnet fine

0 Kudos
In response to leadtheway
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2019 12:43 PM
‎Oct 31 2019 12:43 PM

Windows Firewall on the remote machine?

In response to leadtheway
Nash
Kind of a big deal
‎Oct 31 2019 1:13 PM
‎Oct 31 2019 1:13 PM

If the LAN subnet is working fine, that sounds like you need to poke your vendor some more about setting your client VPN subnet up "just like my LAN subnet." 😕

Windows 10 Client VPN scripts: Makes life better!
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.