Meraki Community

SaravananShan · ‎Jul 8 2021

Hello Everyone,

I am working on Cisco ASA Firewall migration with MX 250 for our corporate office location, and have few VPN queries listed below,

Setup: MX 250 configured in Routed mode, as needed both Firewall and VPN functions, as well act as a gateway for all the internal (user/application) network subnets. We have a multiple VPN tunnel with per tunnel basis customized local and remote ip subnet (only the required host/application ip address permitted at local/remote encryption domain)

Queries:

1) Scenario: Non Meraki VPN tunnel
Requirement: customize the local encryption IP address (specify /32, or multiple host/smaller subnets) to remote network. Is this supported ?

2) Scenario: Multiple non Meraki VPN tunnel
Requirement: specify the VPN local encryption domain per tunnel basis. Is this supported ? (instead of global VPN local subnet selection and restriction only at Firewall rule)

3) Scenario: Non Meraki VPN with NAT
Requirement1: Many to 1 NAT for VPN outbound connection, and advertise only the NAT IP address to Remote peer. Is this supported ?
Requirement2: 1 to 1 NAT for inbound VPN flow, and advertise only the NAT IP address to Remote peer. Is this supported ?
Requirement 3: VPN NAT with private IP supported ? and extend only the NAT private IP to remote peer vpn
Requirement 4: VPN NAT with public IP supported ? and extend only the NAT public IP to remote peer vpn

Is above requirement achievable ? any thoughts?

Bruce · ‎Jul 8 2021

@SaravananShan based on your scenarios I don’t believe that the MX is going to be the best choice for you. The VPN to non-Meraki peers, although very functional, does not provide much in the way of customisation - in-line with Meraki’s ‘simple’ approach. You may well be best off putting a third party VPN head-end/firewall behind the MX to perform the functions you describe.

Here’s my thoughts on your scenarios:

Scenario 1: the encrypted traffic is defined by the addresses that you ‘include’ in the VPN, these are either locally defined subnets on a VLAN or a static route.

Scenario 2: for each Meraki network the IP addresses encrypted are as Scenario 1. Although the non-Meraki peer is defined globally only local Meraki network IP addresses are encrypted. You can defined multiple tunnels to the same destination (with different remote subnets) and ‘tag’ them so they’re only established from certain Meraki networks - remember non-Meraki VPN routes aren’t passed across the AutoVPN.

Scenario 3: there is no capability for NATing on non-Meraki VPN tunnels.

View solution in original post

Bruce · ‎Jul 8 2021