Meraki

Community

Meraki MX VPN issue with FTD x LAN + Transit

JAlmeida
Here to help
yesterday
yesterday

Meraki MX VPN issue with FTD x LAN + Transit

Dear all
I configured a normal VPN, using the Hub and Spoke concept.
I configured the routes and they are published normally, however, I need to validate the LAN network connection between Meraki and FTD.
I have already configured the routing, and even so the tests are not working.

 

My Topology:

Site A:
ISP >> SW Operators >> FTD >> Transit between FTD x SW x Meraki.

I can connect between the transit addresses and Meraki can see them, but I have no connectivity on the LAN.

Site B:
ISP >> SW Operators >> ASA >> Transit between FTD x SW x Meraki.

Routing configured and it does not work.

I would like to validate this test with static routes and then configure BGP on Meraki and firewalls. Any tips?

 

IP 192.168.150.3 is the transit address of FTD Site B (Spoke);
IP 192.168.150.1 is the transit address of MX Site B (Spoke);
IP 192.168.150.2 is the transit address of SW Site B (Spoke);

IP 192.168.140.1 is the transit address of MX Site A Hub;

 

JAlmeida_1-1734917846044.png

 

 

HUB:

JAlmeida_2-1734918042865.png

 

Routing Table HUB:

 

 

JAlmeida_4-1734918138388.png

 

 

SPOKE:

 

JAlmeida_5-1734918207991.png

 

 

SPOKE:

 

JAlmeida_7-1734918306507.png

 

 

 

Static route
No IPsec
No dynamic protocol

I can ping both Meraki, but from FTD I can't, for example, ping LAN 192.168.140.1 from site B, which is the network of site A.
Where am I going wrong?

 

 

Labels:
0 Kudos
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

I am missing a detailed diagram to really understand the topology.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
GreenMan
Meraki Employee
Meraki Employee
6 hours ago
6 hours ago

Are you trying to gain access to resources behind the FTD (linked to the Hub via an IPsec tunnel) from Spoke sites (linked to the same Hub via AutoVPN tunnels)?

0 Kudos
JAlmeida
Here to help
5 hours ago
5 hours ago

Hello @KarstenI and @GreenMan My topology is as follows:
The network gateway is my ASA at Site A and FTD at Site B.
Meraki would be another DMZ, which would handle communication between the sites.
Today I can ping the transit addresses between the FTD (192.168.150.3) x ASA (192.168.140.3). However, I cannot ping the subnets that I am advertising.

 

JAlmeida_2-1734959903434.png

I did not create ipsec, my configuration consists only of the HUB and SPOKE configuration. Could this be the error?

 

JAlmeida_1-1734959739231.png

 

 

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
4 hours ago
4 hours ago

What you seem to show here is that the firewall (the ASA or FTD, depending on the site) is used as the Default Gateway for the subnets which are to be the sources and/or destinations for the traffic flows?   But you also have each of the MXs with an SVI into each of those subnets?    If that's correct, then this would not be the way to set this up.

If you need the firewall to be the default gateway, then remove the SVI for that VLAN from the local MX.  Instead create a transit VLAN / subnet to sit between the Default Gateway and the local MX.   You'll then need to set up a static route for each subnet to be reached from the MX, via the firewall, across the transit VLAN.   You will need to configure the static route on the MX to be advertised across the AutoVPN.   Do this at both ends.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.