Design for remote access solution

akomili
New here

Design for remote access solution

Hello

 

We currently have an MX100 as our edge firewall and will be putting in a Cisco ASA to be used purely for remote access VPN connectivity. We don't have any spare public IPs to assign to the the ASA so we'd like users to be able to connect to it via the MX100. Just thinking out loud, perhaps port forward the VPN ports through the MX and route them to private IPs on the ASA's outside interface. Any ideas on how we can achieve this functionality without opening up security holes?

 

Thanks

AK

3 Replies 3
jdsilva
Kind of a big deal

What concerns do you have? If you forward VPN ports, and have some kind of user identity authentication it's not really any different than having the ASA directly on the Internet. 

BrechtSchamp
Kind of a big deal

I think it's just a matter of forwarding tcp/443 (tls) udp/443 (dtls) if you're using SSL VPN or udp/500 & udp/4500 if you're using IPsec.

 

Keep in mind that this will break some other functionality of the MX. You won't be able to use the local status page on the MX anymore (tcp/443) and client and site to site vpn will break too (udp/500 & udp/4500). See these links:

https://documentation.meraki.com/MX/Other_Topics/Using_VPN_through_an_MX_Security_Appliance

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_Caveats

 

You could also switch to non-standard ports, but then you need additional configuration on the ASA.

 

Edit: Nvm, the local status pages use port 80 (http), not 443 (https) so that part was irrelevant. So only the site-to-site VPN and MX client VPN will break. And as @PhilipDAth mentioned below, AutoVPN will just work, that uses it's own UDP hole punching over UDP range 32768-61000. For future reference, Philip is right too that the port forwarding only breaks access to the local status page of the MX from the WAN side (which indeed is off by default).

PhilipDAth
Kind of a big deal
Kind of a big deal

>You won't be able to use the local status page on the MX anymore (tcp/443) and client and site to site vpn will break too (udp/500 & udp/4500

 

If you nat udp/500 and udp/4500 Meraki client VPN will break - but that wont be an issue if Anyconnect is being deployed.  AutoVPN will work, but non-Meraki site to site VPN would break.

BUT he is higly likely to be using SSL VPN so that wont be an issue.

 

Remote access to the local status page would break (if it was enabled, and it isn't by default) if tcp/443 was forwarded through.  However local access to the local status page should still work.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels