Meraki

Community

Site-to-Site VPN Can't Access Internal Network

Heath_Rose
Conversationalist
2 weeks ago
2 weeks ago

Site-to-Site VPN Can't Access Internal Network

I have (2) Meraki MX75’s and am trying to get them to work as a Hub and Spoke. I have one of the MX75’s in our data center and have the WAN1 port connected to an external public IP 168.166.x.x address. The 168.166.x.x address only has access to the internet and does not have access to our Internal Company Network.

 

I have another port/IP address of 10.1.x.x and have it connected to the WAN2 port on the Meraki MX75. I have the Site-to-Site Auto VPN working between both the Hub and Spoke and have internet access on the poke but I can not figure out how to get the spoke access to our Internal 10.x.x.x network.

 

Does anyone have experience with this or any ideas on how to accomplish this?

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

How are you testing this?

Do you have any firewall rules configured?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Heath_Rose
Conversationalist
2 weeks ago
2 weeks ago

I have a computer connected to the MX75 spoke and can connect to the internet over the tunnel, but I cannot connect to the internal 10.0.0.0/8 network. I cannot ping or connect to anything on the 10.0.0.0/8 network at all including DNS.

 

I have a firewall rule on the Hub 

Heath_Rose_0-1770217571986.png

 

0 Kudos
In response to Heath_Rose
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

There are firewall rules in the VPN as well.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

 

Another point is, do you have active firewalls on the machines? It could be the system's own firewall blocking communication.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Heath_Rose
Conversationalist
2 weeks ago
2 weeks ago

So when talking about the MX75 Hub, I have (2) network connections.

 

Connection 1 is the public Internet connection that I have connected to WAN1

and Connection 2 is the Enterprise Network 10.0.0.0/8 I have connected to WAN2

 

Would this be the proper way to connect this?

0 Kudos
In response to Heath_Rose
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The WAN will not communicate with the LAN; this is expected.

You need a new network (VLAN interface) configured on the LAN.

Communication is LAN-to-LAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Heath_Rose
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Meraki wan interfaces need internet connectivity.

You should connect it to the lan side and add a static 10.0.0.0/8 route to the next hop.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Networ...

0 Kudos
In response to ww
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Why a static route? You can simply configure a new SVI on the same network and the route will be automatically advertised in the auto VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.