Meraki

Zac123 · ‎Apr 14 2021

Hi all:

The network I'm working with is detailed in the attached JPEG.

There are two sites with Cisco IOS routers and a third site with a Meraki MX64 firewall. I configured a VPN between the routers and the MX64 where the MX64 is the hub and the other routers are spokes (see dashed yellow line on diagram).

Hosts connected to the routers (PC1 and PC2) can ping devices on the MX64 (PC3), and PC3 can ping back. However, PC1 cannot ping PC2.

The routing table on the MX64 shows both 10.0.11.0/24 and 10.0.15.0/24 networks as available. That would make sense since pings work. There is one firewall rule only on the 'Site-to-site VPN' configuration page, and it's allowing everything. Is this a limitation of non-Meraki VPNs?

Bruce · ‎Apr 15 2021

If you’re doing a migration then start with the hub. Put the hub MX in the network, but keep the hub ASA too. Then as you migrate each site change the routing at the hub site to use the MX rather than the ASA. You can even put the MX ‘in front’ for the ASA so the the MX becomes your internet gateway, and use port forwards so that the existing Cisco 800 series devices can connect to the ASA until migrated.

View solution in original post

DarrenOC · ‎Apr 14 2021

Hi @Zac123 , take a read through the below document

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

Only outbound firewall rules are available for MX VPN’s. This is why we’ve turned to ASAs for non Meraki to MX VPNs

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Zac123 · ‎Apr 15 2021

Thanks for the reply @DarrenOC. The reason I setup this scenario is to mimic an existing customer's network except their network has 5 spokes which are a mix of 881 routers and 5506X ASAs. The hub is an ASA. They want to slowly convert all these devices to Meraki firewalls. Would it be better to start with the spokes? As more devices are converted then I could use AutoVPN to connect those sites together, but also configure each site to do a non-Meraki VPN with the hub. Then once all the spokes are MX's, I could convert the hub to an MX and connect all sites via AutoVPN.

DarrenOC · ‎Apr 15 2021

Could you run both in parallel? Place the MX concentrator on the network and then migrate your edge sites at your leisure.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Bruce · ‎Apr 15 2021

If you’re doing a migration then start with the hub. Put the hub MX in the network, but keep the hub ASA too. Then as you migrate each site change the routing at the hub site to use the MX rather than the ASA. You can even put the MX ‘in front’ for the ASA so the the MX becomes your internet gateway, and use port forwards so that the existing Cisco 800 series devices can connect to the ASA until migrated.

Bruce · ‎Apr 14 2021

@Zac123, site-to-site VPNs for non-Meraki peers are tricky to get working and have a bunch of caveats. Like @DarrenOC said, a lot of people resort to using another firewall behind the MX to terminate third-party VPN tunnels.

If you do want to try the configuration with the MX, do you have routes on R1 and R2 to send traffic destined for the other site, i.e. for 10.0.15.0/24 and 10.0.11.0/24, via the VPN tunnel? If not then it might be hitting the default route and is being sent out to the internet (assuming you don't tunnel everything to the MX64).

PhilipDAth · ‎Apr 15 2021

You need to add an additional VPN between R1 and R2.

Zac123 · ‎Apr 16 2021

Thanks for the replies all! It sounds like migrating while running the routers in parallel is the best way to swap this out. Thanks again.

Meraki

Community

Hub/spoke VPN Setup With Meraki Hub and Non-Meraki Peers

Hub/spoke VPN Setup With Meraki Hub and Non-Meraki Peers