Outbound VPN being blocked

Screasey
Here to help

Outbound VPN being blocked

Hello All,

 

  I recently deployed a full Meraki suite to one of our office. This includes MX84, MS120 switches, and MR42 AP's. The clients in the office operate solely on wireless.

 

  One of our associates has to VPN into a client network, and from there(receiving a NAT'd address on the clients network) jump into their AWS platform to perform work. Since the deployment, the employee can no longer access the AWS side after successful VPN into the client network. 

 

  We have tested that it is related to the Meraki network by using a tether off of a cell phone as well as a MiFi device. Both optional choices allowed proper functionality. I could use some help as I feel like I have configured a rule somewhere mistakenly or a default rule is blocking,but I cannot seem to find it. 

8 Replies 8
NolanHerring
Kind of a big deal

Can you post a screenshot of your Group Policies/Firewall Rules/L3,L7 rules/Outbound rules etc., AMP/IPS/IDS etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Screasey
Here to help

No problem. I mimicked what was in the previous security device which was basic to say the least to get them running with a plans to lock down the entity per our guidelines.

Screasey_0-1582211011965.pngScreasey_1-1582211098449.pngScreasey_2-1582211237697.png

 

C3SGInc
Getting noticed

Have you ran a tracert after the user connects to the VPN?  Is it actually seeing the correct route through the VPN?

 

You might test disabling AMP and reconnect to see what happens.  We've seen that do strange things, although, once your tunnel is up it shouldn't be able to mess with that traffic.

 

NolanHerring
Kind of a big deal

not related but on your screenshot you have 8.8.8.8 setup for allowed ICMP, which is probably not what you think it is.

That is for what 'public IP addresses' you want to allow to be able to ping your firewall.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Screasey
Here to help

Still waiting on the engineer to test with AMP off, but thank you for the clarification on the 8.8.8.8. I will remove it immediately.

Screasey
Here to help

We tested with AMP off and saw no change in behavior.

 

Below are the results of a TR. 

 

MacBook-Pro-2:Tableau Information st$ traceroute 10.x.x.107

traceroute to 10.x.x.107 (10.x.x.107), 64 hops max, 52 byte packets Customer Private address in AWS

 1  ip-10-x-x-1 (10.x.x.1)  6.645 ms  2.934 ms  2.403 ms Out of the Meraki Gateway

 2  45-20-210-142.lightspeed.rlghnc.sbcglobal.net (45.20.210.142)  3.726 ms  3.737 ms  3.180 ms

 3  104-186-148-1.lightspeed.rlghnc.sbcglobal.net (104.186.148.1)  9.676 ms  12.658 ms  9.885 ms

 4  99.173.77.18 (99.173.77.18)  10.392 ms  12.585 ms  12.057 ms

 5  99.134.77.94 (99.134.77.94)  11.215 ms  13.827 ms  11.737 ms

 6  * *

C3SGInc
Getting noticed

From the results you posted it appears that your packet jump directly to the Internet after hitting your default gateway.  Assuming that you had the VPN connection up when you ran the traceroute, I would say that your VPN connection/client does not know about the subnet that you are trying to reach.  I would expect to see all private IP's in route to the AWS app that you mentioned.  I would start with validating the VPN connection properties.

WillN
Getting noticed

Meraki really dislikes ESP and UDP port 500 outbound (from a device behind the MX). It may be worth running a quick Packet capture on the MX LAN, and Internet, just to see if traffic is traversing the Firewall.

I have a sneaking suspicion that you won't see the traffic going from LAN - WAN and the traffic is using port 500.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels