Meraki

Community

having trouble getting traffic through on a mx67 w/ anyconnect client vpn

sinh
New here
a week ago
a week ago

having trouble getting traffic through on a mx67 w/ anyconnect client vpn

having a heck of a time trying to get this going.  I have an old ssl vpn I want to replace with a mx67 and any connect for my end users.  I've gone through the documentation sections for this but can't seem to find the answer I'm looking for.  

 

currently my vpn solution is this : 

 

client <-> internet <-> router/fw <-> old ssl vpn server <-> local net resources

 

essentially I want to replace the ssl vpn server with an mx67.  Currently I have it set as passthrough and anyconnect enabled using radius authentication.  in my testing, client is able to connect but I'm unable to access any of the local resources at the datacenter (i.e I can not ssh to a server that's was behind the router/fw above).  part of me thinks I'm missing a route somewhere.  in this mode does the mx67 not push any route info out?  considering I can't define any static routes in this mode I'm going to assume the answer is no.  

 

question is how do I set up the mx67 to be a basic vpn concentrator using the anyconnect client that will allow both access to services behind it?  

 

second question - if I can not do this in the passthrough mode and I have to use the routed mode, is it possible to have DHCP requests passed through to an internal DHCP server instead of using the mx67 as a DHCP server?  

 

thanks. 

Labels:
0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Does your router/fw routes the vpn/anycon subnet back to the mx67 ip?

 

In response to ww
sinh
New here
a week ago
a week ago

good question.  there are no specific rules in my router/fw that routes anything to the existing VPN server.  

 

for the record, I'm using a ubiquiti UDM-PRO in front of the MX67.  All I have is a port forwarded from the outside on 9443 to the IP of the MX67 on port 9443 (which is defined in the AnyConnect config).  

0 Kudos
In response to sinh
ww
Kind of a big deal
Kind of a big deal
a week ago
a week ago

try to set the static route of that anyconnect subnet to the mx ip (on your udm pro)

 

To add a static route, go to Settings -> Advanced Features -> Advanced Gateway Settings -> Static Routes

0 Kudos
In response to ww
sinh
New here
Friday
Friday

thank you for this.  I can't find this in the Meraki dashboard and I don't remember seeing this in the UDM interface.  

 

 

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
Saturday
Saturday

If you only need VPN from the MX, then I would set it up as a VPN concentrator.  The network flow would then be: 

 

Client ---> internet ---> UDM ---> local LAN ---> MX67

 

On the MX set a route saying that everything is available on the UDM if the UDM is routing between the VLANs/subnets.  On the UDM you should only need what you have already created.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.