Meraki

Community

site to site vpn to ASA with selected subnets to be allowed over the tunnel

Mohit_Chauhan
Here to help
‎Mar 15 2019 11:15 AM
‎Mar 15 2019 11:15 AM

site to site vpn to ASA with selected subnets to be allowed over the tunnel

Hi ,

We have MX to run site to site with an ASA of a different company. There are lots of common subnets in both organisations and therefore we only want the interesting traffic between a non-conflicting pair. So it is 10.0.0.0/24 behind MX and 192.168.1.0/24 behind ASA which needs to talk to each other.

 

I read about using Tags. The thing I was not sure about was when we create/add a tag, it is applied on the network. Now the network where this MX is sitting is luckily on one subnet which is this 10.0.0.0/24, however it has heaps of static routes, auto-vpn's to Z1's and client vpn networks which talk across in all directions as they are all part of the same organisation. I was not sure if this tag will only apply to the MX LAN subnet or will also include these other subnets. If other subnets will be part of this tag, we will have issues as there are lots of conflicting subnets across the ASA side.

 

I also read about parent tag and sub-tags options, but could not find it in the dashboard. I am sure I wouldn't be the first one trying to achieve this solution. Has someone tried this or can guide me in the right path?

 

Any suggestions or thoughts will be highly appreciated.

 

Thanks.

 

Mo

 

0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 15 2019 12:15 PM
‎Mar 15 2019 12:15 PM

The site to site non-Meraki VPN configuration is organisation wide.  By default every MX will try and build the VPN.  The tags are used to limit which MX's should attempt to build the VPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Peer_availability

 

When you say to include a VLAN in a VPN it is included in both AutoVPN and non-Meraki VPNs.  You can't specify a seperate list only for non-Meraki VPNs.

 

With these limitations it may not be possible to build the non-Meraki site to site VPN and have it work in this case because of the overlapping subnets.

 

 

On the ASA side it could be done, because the ASA supports doing subnet NAT based translation for VPNs - you could make this work - but this is an advanced configuration.

In response to PhilipDAth
Mohit_Chauhan
Here to help
‎Mar 16 2019 12:42 AM
‎Mar 16 2019 12:42 AM

@PhilipDAth wrote:

The site to site non-Meraki VPN configuration is organisation wide.  By default every MX will try and build the VPN.  The tags are used to limit which MX's should attempt to build the VPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Peer_availability

 

When you say to include a VLAN in a VPN it is included in both AutoVPN and non-Meraki VPNs.  You can't specify a seperate list only for non-Meraki VPNs.

 

With these limitations it may not be possible to build the non-Meraki site to site VPN and have it work in this case because of the overlapping subnets.

 

 

On the ASA side it could be done, because the ASA supports doing subnet NAT based translation for VPNs - you could make this work - but this is an advanced configuration.

Thanks for your inputs here.

If we restrict one MX to connect to ASA in this case using TAG, & make use of the "site to site outbound firewall" to restrict what traffic goes through the tunnel, do you think it should be workable? or any downsides?

 

Otherwise, the other thing I was thinking about (haven't seen any update from Meraki on this though) was to do NAT of traffic before tunnelling. However, from the documentation guide, it only says that is feasible on auto-vpn that too with TAC support.

0 Kudos
In response to Mohit_Chauhan
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 16 2019 12:39 PM
‎Mar 16 2019 12:39 PM

>If we restrict one MX to connect to ASA in this case using TAG, & make use of the "site to site outbound firewall" to restrict what traffic goes through the tunnel, do you think it should be workable?

 

No.  It is not a matter of the firewall rules.  The source and destination encryption domain need to match on each end of the VPN.

 

>was to do NAT of traffic before tunnelling

 

You can't do that in this case.

0 Kudos
NormanYoung
New here
‎Mar 24 2019 2:04 AM
‎Mar 24 2019 2:04 AM

Hey Mohit Chauhan! I read about using Tags too. Im installing VeePN for own service. Once you have your VeePN up and running, you can use it for some really cool different things, too.If you want to catch up on your favourite TV, get cheaper plane tickets and hack YouTube, then you’re going to want to pay attention to this section.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.