Meraki

timmyver

Hey everybody,

i have a hub and spoke setup with full-mesh over 4 different sites now we need a Non-meraki vpn to a customer site.

So replacing it with an MX is not option. Configuring it with a Non-meraki firewall is not a problem but then i would need connectivity from all the spokes to the non-meraki and the non-meraki needs to be NAtted. Because there current range is already used in our environment.

PhilipDAth

I have previously handled this case by deploying StrongSwan on a virtual Ubuntu instance. Not the best solution and a bit complicated.

I have also had customers deploy virtual ASAs for site-to-site VPNs (in a Meraki environment).

View solution in original post

alemabrahao

It is not possible to configure NAT for a non-Meraki VPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Mloraditch

You have stated full mesh but also said hub and spoke so just to be sure, If you are using the term spoke in a Meraki VPN sense, Spokes can not connect to 3rd party VPNs. In order for all your sites to connect without introducing more gear, every site would have to be a hub and have a public ip. Your environment sounds small enough that that should be ok.

Any natting of the other VPN device would have to be done on that device. As @alemabrahao states.

Here is the general guide to 3rd party vpns: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

timmyver

Hey, it's a full mesh setup to be clear. so yes all sites are hubs.

To connection to the remote site works, but it's a matter of letting the other hubs route everything over the one hub in azure. That way we only need one VPN connection to the customers site.

i don't see anywhere it's not supported, but i also don't have the option eanble the VPN NAT, although there should be an option to set 'VPN subnet translation' enabled

alemabrahao

Although it is not in the document, it is not actually supported and, as stated, the non-Meraki VPN does not participate in SD-WAN routing.

In other words, it is not possible to do what you want. Unfortunately, the non-Meraki VPN is limited.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

And for SD-WAN you must ask Meraki support to enable the feature.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

I have previously handled this case by deploying StrongSwan on a virtual Ubuntu instance. Not the best solution and a bit complicated.

I have also had customers deploy virtual ASAs for site-to-site VPNs (in a Meraki environment).

alemabrahao

I've had to do the same for some clients.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

timmyver

Thanks for the answers.
I will long to test the StrongSwan solution.

although i find i a bit of pity that the product is so limited.

I can't do outbound NAT(function as a Internet Gateway).

I can't do NAT on external VPN or work as a VPN concentrator.

So to be honest i don't see a lot of added value in deploying a VMX to Azure instead of VPN Gateway or StrongSwan.

In a small environment, i have another customer with 140 sites, that's different story off-course.

Meraki

Community

Non-meraki with NAT

Non-meraki with NAT