Meraki MX VPN issue with FTD x LAN + Transit

JAlmeida
Here to help

Meraki MX VPN issue with FTD x LAN + Transit

Dear all
I configured a normal VPN, using the Hub and Spoke concept.
I configured the routes and they are published normally, however, I need to validate the LAN network connection between Meraki and FTD.
I have already configured the routing, and even so the tests are not working.

 

My Topology:

Site A:
ISP >> SW Operators >> FTD >> Transit between FTD x SW x Meraki.

I can connect between the transit addresses and Meraki can see them, but I have no connectivity on the LAN.

Site B:
ISP >> SW Operators >> ASA >> Transit between FTD x SW x Meraki.

Routing configured and it does not work.

I would like to validate this test with static routes and then configure BGP on Meraki and firewalls. Any tips?

 

IP 192.168.150.3 is the transit address of FTD Site B (Spoke);
IP 192.168.150.1 is the transit address of MX Site B (Spoke);
IP 192.168.150.2 is the transit address of SW Site B (Spoke);

IP 192.168.140.1 is the transit address of MX Site A Hub;

 

JAlmeida_1-1734917846044.png

 

 

HUB:

JAlmeida_2-1734918042865.png

 

Routing Table HUB:

 

 

JAlmeida_4-1734918138388.png

 

 

SPOKE:

 

JAlmeida_5-1734918207991.png

 

 

SPOKE:

 

JAlmeida_7-1734918306507.png

 

 

 

Static route
No IPsec
No dynamic protocol

I can ping both Meraki, but from FTD I can't, for example, ping LAN 192.168.140.1 from site B, which is the network of site A.
Where am I going wrong?

 

 

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal

I am missing a detailed diagram to really understand the topology.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
GreenMan
Meraki Employee
Meraki Employee

Are you trying to gain access to resources behind the FTD (linked to the Hub via an IPsec tunnel) from Spoke sites (linked to the same Hub via AutoVPN tunnels)?

JAlmeida
Here to help

Hello @KarstenI and @GreenMan My topology is as follows:
The network gateway is my ASA at Site A and FTD at Site B.
Meraki would be another DMZ, which would handle communication between the sites.
Today I can ping the transit addresses between the FTD (192.168.150.3) x ASA (192.168.140.3). However, I cannot ping the subnets that I am advertising.

 

JAlmeida_2-1734959903434.png

I did not create ipsec, my configuration consists only of the HUB and SPOKE configuration. Could this be the error?

 

JAlmeida_1-1734959739231.png

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels