Reaching un-defined subnets with MX AutoVPN

Solved
Johann
Getting noticed

Reaching un-defined subnets with MX AutoVPN

Hi all, hope somebody can help me out or point me in the right direction with this one. This is my setup:

 

HQ - MX behind an ASA 

Branch - MX with AutoVPN to HQ with DSL connection

 

HQ is on a 10.32.0.x subnet with a static IP in that range, gateway is set to the core switch IP

Branch is on a 10.32.18.x subnet with a route on the ASA to allow reaching the network beyond the HQ MX

 

Everything works as expected with the VPN,from the branch we can reach any 10.32.x .x subnet as well as subnets in the range 172.30.x.x. coming from the ASA

 

Now it becomes murky, currently because we have the Default route ticked in Site-to-Site VPN, all our traffic goes over the VPN, we need to change this behaviour to ensure only advertised subnets go over the VPN and all internet traffic breaks out locally. I know that by unticking the Default Route, I will get local internet breakout for non-vpn traffic, but this means that I can only reach the 10.32.x.x subnets and crucially not the 172.32.x.x subnets. 

 

I tried adding another VLAN in the 172 subnet but it didn't work because the MX doesn't know how to route this vlan, I also tried adding a static route but this also failed. So now I'm stumped. It might well be that my inputs in vlans/static were wrong, any help would be greatly appreciated. Feel free to ask for more details.

 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

In that case you  have to advertise  the  10.32.0.x and 172. subnet at the hq. At the autovpn settings > Local networks

View solution in original post

4 Replies 4
ww
Kind of a big deal
Kind of a big deal

Hq mx is in routed mode? You have a simple network drawing? Not sure if your hq is behind asa,coreswitch or both..

 

On the hq mx you create a route for 172.30.x.x  to the next hop (ip of the coreswitch 10.32.0.??? ) , and you select advertise this route in vpn. 

 

The coreswitch knows  the way(routing table) to 172.30.x.x and 10.32.18.x ?

Johann
Getting noticed

Hi there,

 

HQ is behind ASA and Core Switch and in Passthrough mode, is this incorrect? Should I change it?

Yes the Core Switch knows the routing to the subnets

 

Thx

ww
Kind of a big deal
Kind of a big deal

In that case you  have to advertise  the  10.32.0.x and 172. subnet at the hq. At the autovpn settings > Local networks

Johann
Getting noticed

That did it, thanks for the help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels