Client VPN using vMX

Tarmahmood1
Getting noticed

Client VPN using vMX

We will replace Cisco CSR1000v with vMX, vMX will be connect to site branches and have some non Meraki VPN peer networks. I have Cisco ASAv in Azure for VPN, we are planning to remove Cisco ASAv and use Meraki client VPN. My question is

 

1) How client VPN will communicate to 3rd party application that is connected through non-meraki VPN tunnel.(diagram attached) do i need to add routes(static etc)

 

2) How many users can connect at a time? do we need any additional license for this feature?

 

 

Tariqmahmood_0-1695625721417.png

 

 

5 REPLIES 5
Erik_Gunnarsson
Conversationalist

When you enable AnyConnect on the VMX, the subnet will show up under "Site-to-Site VPN"
Here you can enable the subnet to have access to VPN. (No routing settings needed)
Your branch sites will not be able to communicate with the 3rd party application behind the non meraki peer via SDWAN if you're planning for this?

Depending on vMX model it handles different number of VPN clients:
https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file

vMX small 50
vMX medium 250
vMX large 500

You need a seperate AnyConnect licens to run this

CWNE# 271
#QualityWiFi

Yes plan is that they should access 3rd party application behind VPN(non meraki) then how should we try to do this? any recommendation 

 

Branch A is MX

and other are Cisco legacy routers(not MX)

You just need to include the client VPN subnet in the encryption domain.

 

You could delay replacing the CSR1000v until all the legacy branches are replaced and then simply add a static route on that platform (for the client VPN subnet) and redistribute it into that VPN system.

Related to traffic between branch office and 3rd party application:

Since 3rd party application is accessed through https://abc.companydomain, I think it would work if all traffic goes to DNS in Domain controllers and DNS then points to 3rd party application link. So point is Branch offices DNS are pointing to Domain controller(DNS). Since all non peer will be connected to Azure network. 

So if branch office wont communicate with each other but atleast they can communicate to 3rd party app(https://abc.companydomain.) what do you think?

Erik_Gunnarsson
Conversationalist

You cannot reach a Non-Meraki VPN network (3rd party application) from a Meraki AutoVPN tunnel (Branch site)
Only local subnets on the MX that has the Non-Meraki VPN tunnel can reach it. (The AnyConnect subnet should work)

If you need access from branches to 3rd party application you need to build a Non-Meraki VPN tunnel from each branch and from vMX to the provider

CWNE# 271
#QualityWiFi
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels