Route specific IP's over non-meraki VPN to the Internet

KrisVerdonck
Here to help

Route specific IP's over non-meraki VPN to the Internet

Hi,

 

I have a question regarding non-meraki vpn and routing.

I have a non-meraki vpn connection where severeal clients are connected to with IP range 10.55.208.0/20.

The clients in that IP range are able to reach the internal IP's in the network. They are connected via a VPN client that allows for me to insert certain allowed subnets.

 

Now for the problem. There are 2 websites on a public IP that are only reachable via the public IP address from the firewall (MX450).

I can configure the client on 10.55.208.0/20 to use the VPN tunnen for these 2 public IP's. BUT it seems that this traffic is not allowed on the MX. Do you have an idea how you would wolve this?

5 Replies 5
NolanHerring
Kind of a big deal

How do you have your site-to-site firewall rules setup?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
KrisVerdonck
Here to help

NetworkConfig.PNG

PhilipDAth
Kind of a big deal
Kind of a big deal

If you change the client VPN configuration to use "full tunnel" - does it work?

 

Does the client have any software firewall on it that could be complicating the issue?

KrisVerdonck
Here to help

I can see that the traffic to the both public IP's is going on the client VPN tunnel.

But in phase 2 ike - encryption domain I don't have these routes on the ASR where the Meraki is connected to.

I just don't knwo how to send them with the MX.

 

KR,

PhilipDAth
Kind of a big deal
Kind of a big deal

For the MX to include IP addresses in its encryption domain it has to have them as either directly connected layer 3 interfaces or static routes.

In your case they would have to be static routes - for the two web sites you want to be accessible.

 

However you can not add a static route via a WAN interface.  Consequently you can add them into the MX encryption domain.  Consequently you wont be able to build an SA with the MX that includes those two public IP addresses on its side.

 

I can not think of way you will be able to get this to work using only the kit mentioned.

 

You would need a proxy server or something similar at the MX site to make this work.  A trip I have used in the past is using the TCP port forward option in Windows server.  You configure a server at the MX site to forward a port from its LAN IP address to the remote web site.  Then create a hosts entry on your clients machine pointing at that server.

 

The other option is to use the "Meraki" VPN client where it is doing a full tunnel.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels