Meraki

Community

VPN Subnet Translation

Jamest201
Here to help
‎Jul 20 2020 5:08 AM
‎Jul 20 2020 5:08 AM

VPN Subnet Translation

Hi, we currently have an MPLS with another 3rd party and I'm slowly moving away from it to meraki SD-wan.

 

The last piece of the puzzle is routing traffic to our dealer management system (DMS, we're a car dealer) which is the 3rd party network, we are going to take away all their routers on our sites aside from 2, one is to feed all this DMS traffic out and all other sites will talk to this via the SD-wan and the other we are looking to have as a failover. The 3rd party has said we can do this but their 2 routers need to exist on the same subnet and need to be able to talk to one another, so I'm trying to implement vpn subnet translation.

I have created the same subnets at sites A and B, at site A I have included the required Vlan in the VPN with translation, but how do I setup site B?

 

It will not let me include it at all in the vpn. I think I have misunderstood how this works.

 

James

0 Kudos
6 Replies 6
Seshu
Meraki Employee
Meraki Employee
‎Jul 20 2020 10:52 AM
‎Jul 20 2020 10:52 AM

Hello @Jamest201 

 

Since you have the same Subnet declared on 2 sites, the VPN Subnet Translation has to be done on both sides of the VPN tunnel to be able to enable that VLAN over VPN. Please try that and let me know if you see any issues.

 

Regards,

Seshu

Meraki Team

0 Kudos
In response to Seshu
Jamest201
Here to help
‎Jul 21 2020 4:54 AM
‎Jul 21 2020 4:54 AM

So I have translated it on site B so both in the VPN now, however they cannot talk. Would I need to address them by their translated addresses? Where in the dashboard can I see the translated address?

0 Kudos
In response to Jamest201
Seshu
Meraki Employee
Meraki Employee
‎Jul 22 2020 7:22 AM
‎Jul 22 2020 7:22 AM

Hello James,

 

Each site should be trying to reach out to the other side's translated address. So, if you have translated 10.10.10.0/24 to 192.168.10.0/24, the last octet will remain the same for any client. For example, 10.10.10.200 will be 192.168.10.200. Please try this and let me know if you are still unable to get across on the VPN tunnel. 

 

There may be a bigger routing issue at stake here. I am only recommending this for the traffic on those VLANs could traverse the VPN tunnel. 

 

Regards,

Seshu 

Meraki Team

0 Kudos
In response to Seshu
Jamest201
Here to help
‎Jul 22 2020 8:33 AM
‎Jul 22 2020 8:33 AM

@SeshuYes that makes sense, I can ping using the translated ip address. Thats not gonna work for HSRP on the 3rd party side then. Back to the drawing board but thanks for clearing that up.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 20 2020 11:46 AM
‎Jul 20 2020 11:46 AM

I don't think you are going to work around this.

 

The provider of the DMS routers architecture does not support this.  Their HA is only supported via a single site.  I bet you will have grief trying to make it work in a way it is not designed.

 

Let's try flipping it around.  Ask them if you can put a "router" in their DC.  If so, install your own Internet feed and an MX configured as a hub.  You could even use a pair of them if you are keen.

As a bonus, this will probably work out cheaper than paying for the WAN and router.  As a double bonus, this will allow all your sites to talk directly to the DMS and be more redundant - and a supported architecture.

In response to PhilipDAth
Jamest201
Here to help
‎Jul 21 2020 4:57 AM
‎Jul 21 2020 4:57 AM

@PhilipDAthI think you might be right, putting a router in their DC isnt going to be an option unfortunately.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.