- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Meraki MX VPN issue with FTD x LAN + Transit
Dear all
I configured a normal VPN, using the Hub and Spoke concept.
I configured the routes and they are published normally, however, I need to validate the LAN network connection between Meraki and FTD.
I have already configured the routing, and even so the tests are not working.
My Topology:
Site A:
ISP >> SW Operators >> FTD >> Transit between FTD x SW x Meraki.
I can connect between the transit addresses and Meraki can see them, but I have no connectivity on the LAN.
Site B:
ISP >> SW Operators >> ASA >> Transit between FTD x SW x Meraki.
Routing configured and it does not work.
I would like to validate this test with static routes and then configure BGP on Meraki and firewalls. Any tips?
IP 192.168.150.3 is the transit address of FTD Site B (Spoke);
IP 192.168.150.1 is the transit address of MX Site B (Spoke);
IP 192.168.150.2 is the transit address of SW Site B (Spoke);
IP 192.168.140.1 is the transit address of MX Site A Hub;
HUB:
Routing Table HUB:
SPOKE:
SPOKE:
Static route
No IPsec
No dynamic protocol
I can ping both Meraki, but from FTD I can't, for example, ping LAN 192.168.140.1 from site B, which is the network of site A.
Where am I going wrong?
Solved! Go to solution.
- Labels:
-
Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you seem to show here is that the firewall (the ASA or FTD, depending on the site) is used as the Default Gateway for the subnets which are to be the sources and/or destinations for the traffic flows? But you also have each of the MXs with an SVI into each of those subnets? If that's correct, then this would not be the way to set this up.
If you need the firewall to be the default gateway, then remove the SVI for that VLAN from the local MX. Instead create a transit VLAN / subnet to sit between the Default Gateway and the local MX. You'll then need to set up a static route for each subnet to be reached from the MX, via the firewall, across the transit VLAN. You will need to configure the static route on the MX to be advertised across the AutoVPN. Do this at both ends.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am missing a detailed diagram to really understand the topology.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to gain access to resources behind the FTD (linked to the Hub via an IPsec tunnel) from Spoke sites (linked to the same Hub via AutoVPN tunnels)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @KarstenI and @GreenMan My topology is as follows:
The network gateway is my ASA at Site A and FTD at Site B.
Meraki would be another DMZ, which would handle communication between the sites.
Today I can ping the transit addresses between the FTD (192.168.150.3) x ASA (192.168.140.3). However, I cannot ping the subnets that I am advertising.
I did not create ipsec, my configuration consists only of the HUB and SPOKE configuration. Could this be the error?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you seem to show here is that the firewall (the ASA or FTD, depending on the site) is used as the Default Gateway for the subnets which are to be the sources and/or destinations for the traffic flows? But you also have each of the MXs with an SVI into each of those subnets? If that's correct, then this would not be the way to set this up.
If you need the firewall to be the default gateway, then remove the SVI for that VLAN from the local MX. Instead create a transit VLAN / subnet to sit between the Default Gateway and the local MX. You'll then need to set up a static route for each subnet to be reached from the MX, via the firewall, across the transit VLAN. You will need to configure the static route on the MX to be advertised across the AutoVPN. Do this at both ends.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked, the firewall rules were wrong