Destination Rerouting?

DanielBHSNIT
Getting noticed

Destination Rerouting?

I am most likely overcomplicating things...

 

I need to traffic that would go to a non-routable IP to instead get redirected to an internal VPN concentrator at a static assigned address?  I'm reading conflicting things online and would appreciate the wisdom of those who have probably done it more often.

16 Replies 16
alemabrahao
Kind of a big deal
Kind of a big deal

Can you demonstrate this with a simple topology? If the IP is not routable, how do you intend to do this?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

One of our vendors sent us a VPN concentrator and what I need to do is somehow route or forward internally 198.19.x.x to 192.168.0.243 (which is where the concentrator lives).

ww
Kind of a big deal
Kind of a big deal

198.19.x.x/16 is the destination subnet? Then you just create a static route for 198.19.x.x/16? to 192.168.0.243

Or is 198.19.x.x your source subnet?

198.19.x.x is the destination

Well, you will have to create a link (a transit VLAN)between this hub and the router you have on your network.

That's why I asked for a topology to understand how your network is logically.

Having this link, simply create a static route to 198.19.x.x pointing to 192.168.0.243 as the next hop.

It's a pretty basic routing to be honest.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I built 1:1 NAT and that works for me, I can connect to the concentrator, at least at the hub the concentrator is installed at.  I can't connect to it from site-to-site spokes and 1:1 NAT rules won't work there since it's not the same subnet.

Dude, seriously, can you share a topology? It will help a lot with understanding.

Your explanation is confusing.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

When I have time to edit my Visio so I can share it publicly, I will.

1:1 NAT is used for access from outside to inside, so it won't work if you are trying to access via the VPN tunnel, you have to route it in such a way that you can inject the route into the VPN tunnel.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

It's working;

Here's the NAT rule:

DanielBHSNIT_0-1714667541284.png

Here is me successfully connecting to it:

DanielBHSNIT_1-1714667589608.png

 

I'm not saying it won't work, but it won't work via a VPN tunnel, but directly over the internet.

Anyway, I don't know if it's a good idea to leave it exposed to the internet.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
rhbirkelund
Kind of a big deal

So something like this?

rhbirkelund_1-1714674064289.png

On the Meraki MX, you'd create a static route with 198.98.19.X/NN with a nexthop address as 192.168.0.243. Then I believe you would create a forwarding rule that forwards udp/500 and udp/4500 to your vpn concentrator.

Or is this completely misunderstood?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

That's what I thought, build a static route, but when I go to Security & SD-WAN -> Routing, it shows me this...

DanielBHSNIT_0-1714674768224.png

 

Unless that is the wrong place to get it.

What I did is set up a 1:1 NAT rule where the 198 (which is an non-routeable address) points to the VPN concentrator at .243; and it works, it resolves... what I need to figure out now, is how to make that work at other locations that are site-to-site VPN to the MX; at those locations it doesn't allow me to build 1:1 NAT rules, and it also won't let me create a static route (see above).

Static routes are made on the Addressing & VLANs page.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

I built a route like so:

DanielBHSNIT_0-1714677992192.png


It won't let me save it, it tells me that "static lan route has an invalid next hop IP.  The IP address is not on a configured subnet."

192.168.0.x is connected via site-to-site VPN

That's what I'm trying to tell you, there's no way to create a route without having the subnet configured in the MX.

Therefore, a topology would help a lot in suggesting a solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.