Client VPN using static route

SOLVED
leadtheway
Building a reputation

Client VPN using static route

Have Client VPN  thats using meraki cloud for authentication and DHCP.  On the MX thats doing the client VPN, theres a static route that users there on the local LAN need to use to reach another subnet for business application thats managed by 3rd party.. that works fine. But client vpn user can access that local LAN fine, but can't access that business app subnet.  Is there a trick to it?

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

Is that static route written to allow traffic from the client VPN? Does it send all traffic intended for VendorSubnet to that subnet?

Does the vendor have a route back to your client VPN subnet? If not, they'll need to add it. Otherwise their equipment doesn't know how to get back to you.

View solution in original post

8 REPLIES 8
Nash
Kind of a big deal

Is that static route written to allow traffic from the client VPN? Does it send all traffic intended for VendorSubnet to that subnet?

Does the vendor have a route back to your client VPN subnet? If not, they'll need to add it. Otherwise their equipment doesn't know how to get back to you.

leadtheway
Building a reputation

yeah thats exactly what I am thinking too..I've reached out to them and am having them make sure there is a route back for the client vpn subnet.   Wasn't sure if i was missing something on our end in regards to that client vpn subnet

Nash
Kind of a big deal

Double-checked config at a client where we do this.

 

Your static route should be fine unless you've got a weird ACL thing going on somewhere.

 

So I'd bet money it's your vendor. I hope they get back to you soon.

leadtheway
Building a reputation

so I can ping the other side of the route (gateway ) now since they put route back in, but can't ping the server i need..I'm thinking maybe an ACL on their side..heres what its looking like

 

Tracing route to 10.209.95.84 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 50 ms * * 10.226.156.240
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * *

Nash
Kind of a big deal

You may be right! Good luck. I usually have to provide the list of subnets that need access, then patiently poke until the changes all get made.

 

On your original working subnet, are you able to ping that target server? If not and you know what port you're using... In Windows, you can use Test-NetConnection to initiate a TCP handshake.

 

So if it's on port 443, for that IP, you'd do: Test-Netconnection -Comp 10.209.95.84 -port 443 -info detailed

leadtheway
Building a reputation

yeah I can reach from the LAN subnet fine

Windows Firewall on the remote machine?

Nash
Kind of a big deal

If the LAN subnet is working fine, that sounds like you need to poke your vendor some more about setting your client VPN subnet up "just like my LAN subnet." 😕

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels