Will Main Office VPN subnets be accessible from 2nd Office

SOLVED
LBRO
Conversationalist

Will Main Office VPN subnets be accessible from 2nd Office

Customer has Main Office with MX84 with approximately 30 - 3rd party tunnels to their Clients. They access Client's servers to do support work through these tunnels. The Customer wants to move to a new Office in stages and they want the Staff at the new Office to be able to access Clients servers from the new Office. The Customer has a 2nd MX84 that will be used as a firewall at the new Office. Both Offices have their own Fiber connection to the internet but no direct connection to one another.

 

The question is, if we set up an autovpn vpn between the Main and New Office, will the new Office be able to connect to the Clients servers?

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

Hi there!

 

This came up yesterday.

 

Aaron Willette has a blog about a topology that will allow access between AutoVPNed firewalls to third party tunnels.

View solution in original post

4 REPLIES 4
Nash
Kind of a big deal

Hi there!

 

This came up yesterday.

 

Aaron Willette has a blog about a topology that will allow access between AutoVPNed firewalls to third party tunnels.

PhilipDAth
Kind of a big deal
Kind of a big deal

There is not going to be any nice solution here.  First the current VPNs will have all been built using a specific encryption domain.  You can't just go and add in another office using a different subnet without having to rebuild all of those VPNs.

 

Your next problem - are you able to keep your current static IP address on your MX when you shift to your new office?  Not all ISPs allow this.  If you have to change that you'll be in a world of hurt having to rebuild everyone of those VPNs - and it wont be gradual - you'll have to do them all at the same time.

 

Considering only the scope of what has been given, I'd be using a couple of Cisco routers, like 890 series, 1100 series, and build a L2TPv3 connection between them - and extend the network at layer 2.  Then you'll have exactly the same IP addressing.

You might be able to get a service provider to do this for you, but they'll usually want a fixed term contract.

 

 

I think you should consider the larger picture and resolve this at a grander [architecture] scale.

 

For example, for things what require an actual direct IP connection [not many these days] - we do all client management via Amazon AWS.  We then connect our office into that.  This means it doesn't matter what IP addressing our office has, or weather we are working remotely on client VPN.

 

However, very view things require an actual direct IP connection these days.  There are a lot of remote access solutions that connect out and solve this problem.  For example, Connectwise Automate.

 

For monitoring we use PRTG because you can put an agent on the client's premise and it connects out to report the monitoring data.

 

I encourage you to look at other solutions that don't require you to have a VPN.

LBRO
Conversationalist

Thanks for your suggestion.

Could you elaborate more on "we do all client management via Amazon AWS" ?

PhilipDAth
Kind of a big deal
Kind of a big deal

>Could you elaborate more on "we do all client management via Amazon AWS" ?

 

We operate a SOCKS proxy tunneled through SSH via a server located in Amazon AWS.  Any remote manage of clients is done via that.  It also logs every IP flow through it, and connectivity to it is authenticated using an SSH key.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels