Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

vMX in AWS site-to-site VPN and Anyconnect

netguy11
Conversationalist
‎Feb 21 2022 2:46 AM
‎Feb 21 2022 2:46 AM

vMX in AWS site-to-site VPN and Anyconnect

Hello,

 

I'm trying to set up a following. I have test vMX-S deployed in AWS. I can see it on the dashboard in my test organization.  All looks good from this point. SW ver is  16.15. 

I have two issues:

1) I can connect with remote VPN client (Anyconnect), but then in full tunneling mode traffic is not going out to the Internet. Is this expected behavior from vMX?

2) I'm also trying to establish 3rd party site to site VPN with a MX in another organization (this is for PoC, that's why I'm keeping it separately and not using AutoVPN), but tunnel is not coming up. Traffic flow is: remote VPN connected to vMX - 3rd party VPN - MX - LAN. Trying to ping from AnyConnect to branch LAN to activate the tunnel, but I'm not sure if those packets are actually going to the other end.  On vMX I can see some 500 & 4500 packets in the capture. Does anyone successfully deployed such scenario? Any hints would be more than welcome 🙂

 

Labels:
0 Kudos
Subscribe
9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2022 11:16 AM
‎Feb 21 2022 11:16 AM

>1) ... Is this expected behavior from vMX?

 

This is the expected behaviour for AWS (nothing to do with Meraki).  AWS will only NAT traffic heading out to the Internet from VPC connected subnets.  It will not NAT traffic from any other routes (such as the AnyConnect address pool).

 

Are you sure you have the AnyConnect pool in the third party encryption domain?

0 Kudos
Subscribe
In response to PhilipDAth
netguy11
Conversationalist
‎Feb 21 2022 11:35 PM
‎Feb 21 2022 11:35 PM

Hi Philip,

 

Thanks for the replay. In my case VPC subnet is 10.x.0.0/16. I have vMX in 10.x.0.0/24 and vpn pool is 10.x.1.0/24. So in theory both /24s are part of the /16 VPC subnet. Should that work?

 

Yes, I have the VPN pool in 3rd party enc domain. I got spare Z3C yesterday. I will test with AutoVPN and check if there is a difference.

 

EDIT:

Just tested with AutoVPN and communication from Anyconnect to branch works fine with split tunnel mode. For now only full tunnel is the issue.

0 Kudos
Subscribe
Chad3_23
Comes here often
‎May 4 2023 12:43 PM
‎May 4 2023 12:43 PM

Hello Netguy11,

Trying to test out Anyconnect connecting to a Vmx in AWS and I can't get it to connect.  I have allowed port 443 in our security group but nothing.    Did some packet capturing and it seems like the traffic isn't making it to the Vmx.  Any suggestions or thoughts?  Thanks!

0 Kudos
Subscribe
In response to Chad3_23
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 4 2023 1:36 PM
‎May 4 2023 1:36 PM

You need to allow both UDP and TCP 443.

 

If you point your web browser to the VMX using HTTPS (which will fail - but it will generate traffic) - do you see it hitting the VMX in a packet capture?  If not - you must have an issue on the AWS side.

 

The VMX should be in a "public" segment, and should have a public IP address (elastic IP) NATed directly to it.

0 Kudos
Subscribe
In response to PhilipDAth
Chad3_23
Comes here often
‎May 5 2023 10:17 AM
‎May 5 2023 10:17 AM

Thank you for the information.   I am not seeing that traffic so I will keep investigating.    

0 Kudos
Subscribe
In response to PhilipDAth
Chad3_23
Comes here often
‎May 12 2023 8:56 AM
‎May 12 2023 8:56 AM

Thanks for the help.  I am now seeing the generated traffic.  I am seeing the traffic being hit on the IP(Elastic IP) in AWS but the public IP on the Meraki portal is different and nothing on that IP.    I tried connecting to it by the Elastic IP and it isn't prompting to connect.   I have allowed udp/tcp 443 on the security group.    Appreciate any help or thoughts.    

0 Kudos
Subscribe
In response to PhilipDAth
Chad3_23
Comes here often
‎May 17 2023 11:41 AM
‎May 17 2023 11:41 AM

Going to add a couple of tips that will maybe help someone in the future. This isn't a complete step by step guide, just some tips that will help.
First get the VMX spun up using this document -
  • Make sure you add the VMX to the public subnet
  • Your Ip in the Meraki dashboard should be the same IP as the public IP under the details
 
Click Client VPN and enable Anyconnect
  • Fill in the setting that works for your environment
  • - Anyconnect VPN subnet - example 192.168.2.0/24 (Make this different subnet than your VPC)
 
In AWS go to route tables for the public and private subnets
  • Add 192.168.2.0/24  as the destination and target is going to be your Meraki network interface To find Meraki network interface (EC2 -> go to VMX and click networking)
 
0 Kudos
Subscribe
In response to Chad3_23
Stallone
Conversationalist
‎Jan 20 2024 9:50 AM
‎Jan 20 2024 9:50 AM

Hello @Chad3_23 

 

Can you please help me with a similar issue ?

 

I also have a tunnel between AWS and my on-premise resources via Meraki vMX, but additionally, I would like to apply some firewall rules in my AWS account, so I added them to a security group that is attached to the ec2 instance, unfortunately, it didn't work for me, traffic still unrestricted, so it looks like that security group not work for inbound traffic

0 Kudos
Subscribe
In response to Stallone
Chad3_23
Comes here often
‎Jan 23 2024 9:29 AM
‎Jan 23 2024 9:29 AM

Hey @Stallone 

Just to verify, your on-premise traffic can't send any traffic to your ec2 instance?   It is all blocked?  

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.