I recently deployed a full Meraki suite to one of our office. This includes MX84, MS120 switches, and MR42 AP's. The clients in the office operate solely on wireless.
One of our associates has to VPN into a client network, and from there(receiving a NAT'd address on the clients network) jump into their AWS platform to perform work. Since the deployment, the employee can no longer access the AWS side after successful VPN into the client network.
We have tested that it is related to the Meraki network by using a tether off of a cell phone as well as a MiFi device. Both optional choices allowed proper functionality. I could use some help as I feel like I have configured a rule somewhere mistakenly or a default rule is blocking,but I cannot seem to find it.
No problem. I mimicked what was in the previous security device which was basic to say the least to get them running with a plans to lock down the entity per our guidelines.
Have you ran a tracert after the user connects to the VPN? Is it actually seeing the correct route through the VPN?
You might test disabling AMP and reconnect to see what happens. We've seen that do strange things, although, once your tunnel is up it shouldn't be able to mess with that traffic.
Still waiting on the engineer to test with AMP off, but thank you for the clarification on the 18.104.22.168. I will remove it immediately.
We tested with AMP off and saw no change in behavior.
Below are the results of a TR.
MacBook-Pro-2:Tableau Information st$ traceroute 10.x.x.107
traceroute to 10.x.x.107 (10.x.x.107), 64 hops max, 52 byte packets Customer Private address in AWS
1 ip-10-x-x-1 (10.x.x.1) 6.645 ms 2.934 ms 2.403 ms Out of the Meraki Gateway
2 45-20-210-142.lightspeed.rlghnc.sbcglobal.net (22.214.171.124) 3.726 ms 3.737 ms 3.180 ms
3 104-186-148-1.lightspeed.rlghnc.sbcglobal.net (126.96.36.199) 9.676 ms 12.658 ms 9.885 ms
4 188.8.131.52 (184.108.40.206) 10.392 ms 12.585 ms 12.057 ms
5 220.127.116.11 (18.104.22.168) 11.215 ms 13.827 ms 11.737 ms
6 * *
From the results you posted it appears that your packet jump directly to the Internet after hitting your default gateway. Assuming that you had the VPN connection up when you ran the traceroute, I would say that your VPN connection/client does not know about the subnet that you are trying to reach. I would expect to see all private IP's in route to the AWS app that you mentioned. I would start with validating the VPN connection properties.
Meraki really dislikes ESP and UDP port 500 outbound (from a device behind the MX). It may be worth running a quick Packet capture on the MX LAN, and Internet, just to see if traffic is traversing the Firewall.
I have a sneaking suspicion that you won't see the traffic going from LAN - WAN and the traffic is using port 500.