?Source NAT? on Non-Meraki VPN MX68

ngsb
Comes here often

?Source NAT? on Non-Meraki VPN MX68

I have a situation where I want to replace my ASA with our MX68 "HUB" to what will be approx 300 AutoVPN connections (two pictures of ASA attached - I need to replicate this on my MX68)

but one of the things the ASA has is a Site-to-Site VPN to another company which we use to connect to some cell routers in the field.

Part of that connection is that we must NAT our traffic destined for 10.80.20.224/27 (Cell Routers) to come from source 172.16.7.112/29. Our normal subnet is 192.x.x.x and our VPN subnet is 192.x.xx.x

 

I'm trying to plan out pulling the ASA to make the MX68 our firewall but I can't see where I would create these rules related to the non-meraki s2s?

 

Alternatively - all 300 Z3s connected to our MX68 will have a single subnet we would like to reach directly from our main MX68 LAN. This works if I'm on the MX68 via clientVPN or locally. If i keep my ASA as my firewall what sort of rules would I have to create to route particular traffic from behind the ASA to these Meraki subnets? Several static routes basically so if we are on the ASA LAN and we want to hit a Meraki subnet the ASA sends that traffic to the MX68?

 

*Email support said call in. I have been on hold for 45 minutes to talk to a human so here I am asking you good folks for assistance! We are a small company with a lot of "sites" we are putting these Z3s at. We enjoy the simplicity of the dashboard vs. the ASA and would be in a better position to manage our networks if we could stay in Meraki, I think.

Meraki.pngMeraki2.png

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

Mx cant translate to non meraki vpn.

Also mx68 is only recommended for 50 tunnels.

 

Mx behind asa as vpn concentrator would be the best solution and route between mx and asa 

 

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#Deploying_a_...

ngsb
Comes here often

Thank you I will research concentrator

I mispoke

We are deploying 20 as a proof of concept and when we get to more it will likely be a vMX on AWS or a larger MX on-prem.

 

That helps to know the Meraki is not capable of becoming our firewall due to this rule.

Bruce
Kind of a big deal

Hi @ngsb. The MX devices can’t do the NAT of traffic going to a non-Meraki VPN peer, so it’s almost certain you will need to maintain the ASA (or another third party firewall) in the design. Having the ASA terminating this VPN will also let you distribute the routes to the far end into the Meraki Auto VPN, something you may not be able to do otherwise.

 

Then you just need to work out which way round you want to position the devices. Do you want the ASA on the internet edge with the Meraki MX behind it in VPN concentrator mode, or do you have the MX at the internet edge, with the ASA behind it just to terminate the third party VPN. This may come down to what inspection you want to do on the edge - do you intend to use the Meraki Advanced Security with Cisco AMP, IDS/IPS etc., or do you only have the Enterprise license in which case you may consider using the ASA for those functions (assuming it can run the Firepower services software module).

 

Either way, the MX68 will know of all the routes to the Z3 sites through Auto VPN, and you’ll need a static route from the MX68 pointing to the ASA for the cell routers (which needs to be advertised ‘in’ the Auto VPN). In the reverse direction you’ll need a route from the ASA to the MX68 for traffic to reach the Z3 sites. Ideally you’d want all the Z3 sites to exist under a single summary route if possible, that will make things much easier (e.g. each Z3 site is a 192.168.x.x subnet, and this can be summarised as 192.168.0.0/16 in a static route on the ASA). This is the basics, there will likely be other things you will find you need to do, and also some you could (like dynamic routing).

ngsb
Comes here often

So there’s some additional weird I’m hoping you might know if the below solution will work 

1. Auto VPN is only working if my VPN Hub (68) is on the edge. There’s unfriendly NAT at the Z3s and for some reason once I put our hub behind the ASA the auto VPN doesn’t maintain. The Z3s are behind a customers firewall so right now it just is this way. Working on a solution 

Given that: 

I’d like to keep our 68 connected to ISP on a spare Static IP and this is the Hub (until more connections in future)

I’d like to put a Z3 behind our ASA as a concentrator Spoke so the ASA will have that summary route you mentioned pointing to the Z3 for the Meraki subnets 

 

But I’m having a problem

192.168.20.1 is the ASA and Z3 is 192.168.20.10

i can ping Meraki subnets from the ASA Lan with my summary route but I can’t establish a TCP connection. Is this because the Meraki thinks the gateway for 192.168.20.0 is itself snd not the ASA? When I try to set a route for this in Meraki it errors because it says it has built one already  and I cannot find where to set the gateway IP in the Meraki when I set it to .10 so it knows that for subnet 192.168.20.0/24 the gateway is .1 (ASA)

 

I had the same problem if I set it as a routed VPN spoke. 

Bruce
Kind of a big deal

You really need to get the Unfriendly NAT issue solved, whether or not the hub MX is on the edge or a concentrator, as this will likely cause issues. The Unfriendly NAT means an upstream firewalls is modifying the source port (or source IP address) differently for the two connections to the VPN registry (and potentially also the AutoVPN IPSec connection itself). The only solution is to create a static port forward on the upstream (customer) firewall and configure that manually in the Site-to-Site VPN configuration page.

 

I don’t think I’ve ever tried to use a Z3 as a concentrator, so not sure if it will actually work (can’t see why it wouldn’t, since it’s almost the same, but it may be one of those gotchas). If it does work, then if you are able to successfully ping a device at a Z3 location from the ASA LAN then the routing is probably correct, and it is more likely the the TCP traffic is being blocked at a higher Layer (e.g. a firewall rule is blocking it).

 

Out of interest, any reason why you are using a Z3 to connect to the ASA? Why not just connect it to a LAN port on the MX hub? (or are they on different sites?)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels