cancel
Showing results for 
Search instead for 
Did you mean: 

site to site vpn to ASA with selected subnets to be allowed over the tunnel

Conversationalist

site to site vpn to ASA with selected subnets to be allowed over the tunnel

Hi ,

We have MX to run site to site with an ASA of a different company. There are lots of common subnets in both organisations and therefore we only want the interesting traffic between a non-conflicting pair. So it is 10.0.0.0/24 behind MX and 192.168.1.0/24 behind ASA which needs to talk to each other.

 

I read about using Tags. The thing I was not sure about was when we create/add a tag, it is applied on the network. Now the network where this MX is sitting is luckily on one subnet which is this 10.0.0.0/24, however it has heaps of static routes, auto-vpn's to Z1's and client vpn networks which talk across in all directions as they are all part of the same organisation. I was not sure if this tag will only apply to the MX LAN subnet or will also include these other subnets. If other subnets will be part of this tag, we will have issues as there are lots of conflicting subnets across the ASA side.

 

I also read about parent tag and sub-tags options, but could not find it in the dashboard. I am sure I wouldn't be the first one trying to achieve this solution. Has someone tried this or can guide me in the right path?

 

Any suggestions or thoughts will be highly appreciated.

 

Thanks.

 

Mo

 

4 REPLIES 4
Highlighted
Kind of a big deal

Re: site to site vpn to ASA with selected subnets to be allowed over the tunnel

The site to site non-Meraki VPN configuration is organisation wide.  By default every MX will try and build the VPN.  The tags are used to limit which MX's should attempt to build the VPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Peer_availability

 

When you say to include a VLAN in a VPN it is included in both AutoVPN and non-Meraki VPNs.  You can't specify a seperate list only for non-Meraki VPNs.

 

With these limitations it may not be possible to build the non-Meraki site to site VPN and have it work in this case because of the overlapping subnets.

 

 

On the ASA side it could be done, because the ASA supports doing subnet NAT based translation for VPNs - you could make this work - but this is an advanced configuration.

Conversationalist

Re: site to site vpn to ASA with selected subnets to be allowed over the tunnel


@PhilipDAth wrote:

The site to site non-Meraki VPN configuration is organisation wide.  By default every MX will try and build the VPN.  The tags are used to limit which MX's should attempt to build the VPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Peer_availability

 

When you say to include a VLAN in a VPN it is included in both AutoVPN and non-Meraki VPNs.  You can't specify a seperate list only for non-Meraki VPNs.

 

With these limitations it may not be possible to build the non-Meraki site to site VPN and have it work in this case because of the overlapping subnets.

 

 

On the ASA side it could be done, because the ASA supports doing subnet NAT based translation for VPNs - you could make this work - but this is an advanced configuration.


Thanks for your inputs here.

If we restrict one MX to connect to ASA in this case using TAG, & make use of the "site to site outbound firewall" to restrict what traffic goes through the tunnel, do you think it should be workable? or any downsides?

 

Otherwise, the other thing I was thinking about (haven't seen any update from Meraki on this though) was to do NAT of traffic before tunnelling. However, from the documentation guide, it only says that is feasible on auto-vpn that too with TAC support.

Kind of a big deal

Re: site to site vpn to ASA with selected subnets to be allowed over the tunnel

>If we restrict one MX to connect to ASA in this case using TAG, & make use of the "site to site outbound firewall" to restrict what traffic goes through the tunnel, do you think it should be workable?

 

No.  It is not a matter of the firewall rules.  The source and destination encryption domain need to match on each end of the VPN.

 

>was to do NAT of traffic before tunnelling

 

You can't do that in this case.

New here

Re: site to site vpn to ASA with selected subnets to be allowed over the tunnel

Hey Mohit Chauhan! I read about using Tags too. Im installing VeePN for own service. Once you have your VeePN up and running, you can use it for some really cool different things, too.If you want to catch up on your favourite TV, get cheaper plane tickets and hack YouTube, then you’re going to want to pay attention to this section.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Points Contest
Join us for a month-long contest with heaps of swag to win!

Learn More ›