Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Design for remote access solution

akomili
New here
‎Feb 20 2019 11:32 AM
‎Feb 20 2019 11:32 AM

Design for remote access solution

Hello

 

We currently have an MX100 as our edge firewall and will be putting in a Cisco ASA to be used purely for remote access VPN connectivity. We don't have any spare public IPs to assign to the the ASA so we'd like users to be able to connect to it via the MX100. Just thinking out loud, perhaps port forward the VPN ports through the MX and route them to private IPs on the ASA's outside interface. Any ideas on how we can achieve this functionality without opening up security holes?

 

Thanks

AK

0 Kudos
Subscribe
3 Replies 3
jdsilva
Kind of a big deal
‎Feb 20 2019 1:10 PM
‎Feb 20 2019 1:10 PM

What concerns do you have? If you forward VPN ports, and have some kind of user identity authentication it's not really any different than having the ASA directly on the Internet. 

http://blog.brokennetwork.ca | @jdsilva
Subscribe
BrechtSchamp
Kind of a big deal
‎Feb 20 2019 1:46 PM
‎Feb 20 2019 1:46 PM

I think it's just a matter of forwarding tcp/443 (tls) udp/443 (dtls) if you're using SSL VPN or udp/500 & udp/4500 if you're using IPsec.

 

Keep in mind that this will break some other functionality of the MX. You won't be able to use the local status page on the MX anymore (tcp/443) and client and site to site vpn will break too (udp/500 & udp/4500). See these links:

https://documentation.meraki.com/MX/Other_Topics/Using_VPN_through_an_MX_Security_Appliance

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_Caveats

 

You could also switch to non-standard ports, but then you need additional configuration on the ASA.

 

Edit: Nvm, the local status pages use port 80 (http), not 443 (https) so that part was irrelevant. So only the site-to-site VPN and MX client VPN will break. And as @PhilipDAth mentioned below, AutoVPN will just work, that uses it's own UDP hole punching over UDP range 32768-61000. For future reference, Philip is right too that the port forwarding only breaks access to the local status page of the MX from the WAN side (which indeed is off by default).

Subscribe
In response to BrechtSchamp
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2019 3:11 PM
‎Feb 20 2019 3:11 PM

>You won't be able to use the local status page on the MX anymore (tcp/443) and client and site to site vpn will break too (udp/500 & udp/4500

 

If you nat udp/500 and udp/4500 Meraki client VPN will break - but that wont be an issue if Anyconnect is being deployed.  AutoVPN will work, but non-Meraki site to site VPN would break.

BUT he is higly likely to be using SSL VPN so that wont be an issue.

 

Remote access to the local status page would break (if it was enabled, and it isn't by default) if tcp/443 was forwarded through.  However local access to the local status page should still work.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.