Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN using vMX

Tarmahmood1
Getting noticed
‎Sep 25 2023 12:13 AM
‎Sep 25 2023 12:13 AM

Client VPN using vMX

We will replace Cisco CSR1000v with vMX, vMX will be connect to site branches and have some non Meraki VPN peer networks. I have Cisco ASAv in Azure for VPN, we are planning to remove Cisco ASAv and use Meraki client VPN. My question is

 

1) How client VPN will communicate to 3rd party application that is connected through non-meraki VPN tunnel.(diagram attached) do i need to add routes(static etc)

 

2) How many users can connect at a time? do we need any additional license for this feature?

 

 

Tariqmahmood_0-1695625721417.png

 

 

0 Kudos
Subscribe
5 Replies 5
Erik_Gunnarsson
Here to help
‎Sep 25 2023 3:54 AM
‎Sep 25 2023 3:54 AM

When you enable AnyConnect on the VMX, the subnet will show up under "Site-to-Site VPN"
Here you can enable the subnet to have access to VPN. (No routing settings needed)
Your branch sites will not be able to communicate with the 3rd party application behind the non meraki peer via SDWAN if you're planning for this?

Depending on vMX model it handles different number of VPN clients:
https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file

vMX small 50
vMX medium 250
vMX large 500

You need a seperate AnyConnect licens to run this

CWNE# 271
#QualityWiFi
Subscribe
In response to Erik_Gunnarsson
Tarmahmood1
Getting noticed
‎Sep 25 2023 7:40 AM
‎Sep 25 2023 7:40 AM

Yes plan is that they should access 3rd party application behind VPN(non meraki) then how should we try to do this? any recommendation 

 

Branch A is MX

and other are Cisco legacy routers(not MX)

0 Kudos
Subscribe
In response to Tarmahmood1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 25 2023 11:53 AM
‎Sep 25 2023 11:53 AM

You just need to include the client VPN subnet in the encryption domain.

 

You could delay replacing the CSR1000v until all the legacy branches are replaced and then simply add a static route on that platform (for the client VPN subnet) and redistribute it into that VPN system.

0 Kudos
Subscribe
In response to PhilipDAth
Tarmahmood1
Getting noticed
‎Sep 26 2023 12:00 AM
‎Sep 26 2023 12:00 AM

Related to traffic between branch office and 3rd party application:

Since 3rd party application is accessed through https://abc.companydomain, I think it would work if all traffic goes to DNS in Domain controllers and DNS then points to 3rd party application link. So point is Branch offices DNS are pointing to Domain controller(DNS). Since all non peer will be connected to Azure network. 

So if branch office wont communicate with each other but atleast they can communicate to 3rd party app(https://abc.companydomain.) what do you think?

0 Kudos
Subscribe
Erik_Gunnarsson
Here to help
‎Sep 26 2023 1:25 AM
‎Sep 26 2023 1:25 AM

You cannot reach a Non-Meraki VPN network (3rd party application) from a Meraki AutoVPN tunnel (Branch site)
Only local subnets on the MX that has the Non-Meraki VPN tunnel can reach it. (The AnyConnect subnet should work)

If you need access from branches to 3rd party application you need to build a Non-Meraki VPN tunnel from each branch and from vMX to the provider

CWNE# 271
#QualityWiFi
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.