Meraki

Community

Destination Rerouting?

DanielBHSNIT
Getting noticed
‎May 2 2024 7:04 AM
‎May 2 2024 7:04 AM

Destination Rerouting?

I am most likely overcomplicating things...

 

I need to traffic that would go to a non-routable IP to instead get redirected to an internal VPN concentrator at a static assigned address?  I'm reading conflicting things online and would appreciate the wisdom of those who have probably done it more often.

Labels:
0 Kudos
16 Replies 16
alemabrahao
Kind of a big deal
‎May 2 2024 7:17 AM
‎May 2 2024 7:17 AM

Can you demonstrate this with a simple topology? If the IP is not routable, how do you intend to do this?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
DanielBHSNIT
Getting noticed
‎May 2 2024 7:42 AM
‎May 2 2024 7:42 AM

One of our vendors sent us a VPN concentrator and what I need to do is somehow route or forward internally 198.19.x.x to 192.168.0.243 (which is where the concentrator lives).

0 Kudos
In response to DanielBHSNIT
ww
Kind of a big deal
Kind of a big deal
‎May 2 2024 7:50 AM
‎May 2 2024 7:50 AM

198.19.x.x/16 is the destination subnet? Then you just create a static route for 198.19.x.x/16? to 192.168.0.243

Or is 198.19.x.x your source subnet?

In response to ww
DanielBHSNIT
Getting noticed
‎May 2 2024 7:51 AM
‎May 2 2024 7:51 AM

198.19.x.x is the destination

0 Kudos
In response to DanielBHSNIT
alemabrahao
Kind of a big deal
‎May 2 2024 8:22 AM
‎May 2 2024 8:22 AM

Well, you will have to create a link (a transit VLAN)between this hub and the router you have on your network.

That's why I asked for a topology to understand how your network is logically.

Having this link, simply create a static route to 198.19.x.x pointing to 192.168.0.243 as the next hop.

It's a pretty basic routing to be honest.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
DanielBHSNIT
Getting noticed
‎May 2 2024 8:28 AM
‎May 2 2024 8:28 AM

I built 1:1 NAT and that works for me, I can connect to the concentrator, at least at the hub the concentrator is installed at.  I can't connect to it from site-to-site spokes and 1:1 NAT rules won't work there since it's not the same subnet.

0 Kudos
In response to DanielBHSNIT
alemabrahao
Kind of a big deal
‎May 2 2024 8:34 AM
‎May 2 2024 8:34 AM

Dude, seriously, can you share a topology? It will help a lot with understanding.

Your explanation is confusing.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
DanielBHSNIT
Getting noticed
‎May 2 2024 9:30 AM
‎May 2 2024 9:30 AM

When I have time to edit my Visio so I can share it publicly, I will.

0 Kudos
In response to DanielBHSNIT
alemabrahao
Kind of a big deal
‎May 2 2024 8:44 AM
‎May 2 2024 8:44 AM

1:1 NAT is used for access from outside to inside, so it won't work if you are trying to access via the VPN tunnel, you have to route it in such a way that you can inject the route into the VPN tunnel.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
DanielBHSNIT
Getting noticed
‎May 2 2024 9:33 AM
‎May 2 2024 9:33 AM

It's working;

Here's the NAT rule:

DanielBHSNIT_0-1714667541284.png

Here is me successfully connecting to it:

DanielBHSNIT_1-1714667589608.png

 

0 Kudos
In response to DanielBHSNIT
alemabrahao
Kind of a big deal
‎May 2 2024 9:37 AM
‎May 2 2024 9:37 AM

I'm not saying it won't work, but it won't work via a VPN tunnel, but directly over the internet.

Anyway, I don't know if it's a good idea to leave it exposed to the internet.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 2 2024 11:28 AM
‎May 2 2024 11:28 AM

So something like this?

rhbirkelund_1-1714674064289.png

On the Meraki MX, you'd create a static route with 198.98.19.X/NN with a nexthop address as 192.168.0.243. Then I believe you would create a forwarding rule that forwards udp/500 and udp/4500 to your vpn concentrator.

Or is this completely misunderstood?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
DanielBHSNIT
Getting noticed
‎May 2 2024 11:34 AM
‎May 2 2024 11:34 AM

That's what I thought, build a static route, but when I go to Security & SD-WAN -> Routing, it shows me this...

DanielBHSNIT_0-1714674768224.png

 

Unless that is the wrong place to get it.

What I did is set up a 1:1 NAT rule where the 198 (which is an non-routeable address) points to the VPN concentrator at .243; and it works, it resolves... what I need to figure out now, is how to make that work at other locations that are site-to-site VPN to the MX; at those locations it doesn't allow me to build 1:1 NAT rules, and it also won't let me create a static route (see above).

0 Kudos
In response to DanielBHSNIT
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 2 2024 11:40 AM
‎May 2 2024 11:40 AM

Static routes are made on the Addressing & VLANs page.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
DanielBHSNIT
Getting noticed
‎May 2 2024 12:28 PM
‎May 2 2024 12:28 PM

I built a route like so:

DanielBHSNIT_0-1714677992192.png


It won't let me save it, it tells me that "static lan route has an invalid next hop IP.  The IP address is not on a configured subnet."

192.168.0.x is connected via site-to-site VPN

0 Kudos
In response to DanielBHSNIT
alemabrahao
Kind of a big deal
‎May 2 2024 12:35 PM
‎May 2 2024 12:35 PM

That's what I'm trying to tell you, there's no way to create a route without having the subnet configured in the MX.

Therefore, a topology would help a lot in suggesting a solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.