vMX100

SCC
Building a reputation

vMX100

Hi All,

 

We currently have two virtual SOPHOS Firewall on Azure Cloud one in Australia East (10.10.10.0/24) and second is in Australia south east (20.20.20.0/24). The plan is to replace these SOPHOS Firewall from Azure Cloud with Meraki vMX100.

 

Now, i am confused and i like to know. If i will configure the vMX100 on Australia East (10.10.10.0/24) and second is in Australia south east (20.20.20.0/24). Can i keep the same network ? i think no. But if its no possible to keep the same network what i have behind the SOPHOS on Azure Cloud. Then, how would i plan to replace the SOPHOS Firewall. As it will take sometime to transition clients from SOPHOS to Meraki and untill our clients are fully migrated we can't replace SOPHOS firewall.

 

Please advise what should be the best way to plan this.

 

 

8 REPLIES 8
cmr
Kind of a big deal
Kind of a big deal

@SCC what are you using the Sophos firewalls for, simply remote access to Azure resources in the two locations, or do you have a RED connection between them? Do clients need to connect to both separately or can they connect to either and see resources from both?  What connection are you using, SSL VPN or IPSEC client VPN?  Do you have multiple polices?

 

The two vMXs will need to be in separate Networks in the same Organisation and if needed you can do an AutoVPN connection between them as that is similar to a RES tunnel.  The Meraki client VPN isn't as good as the Sophos yet, but is getting better so unless you have to move now,  you might want to wait for Anyconnect support as at least it has a decent client then.

PhilipDAth
Kind of a big deal

When you deploy the VMX there is an option to click "Advanced" and select an existing VNET and subnet to connect to.  You must use this option.

 

If you do this, you can retain your existing subnets (assuming, of course, they are globally unique in your organisation).

SCC
Building a reputation

@PhilipDAth 

 

If i do this you mean i would be able to use the same network for which currently the Gateway is SOPHOS Firewall. And by doing this Meraki would also be able to use the same network but how the Gateway will work ?

How Meraki would know that it is using the same network for which the SOPHOS firewall is currently the Gateway.

Sorry if i sound stupid.

PhilipDAth
Kind of a big deal

The VMX is simply a VPN concentrator.

 

You add static routes to your VNET via the VMX for your remote sites.  In you case you your probably add them to the Sophos device as well so it new how to get to your remote networks.

SCC
Building a reputation

@PhilipDAth 

 

The plan is to have a one vMX100 on Australia South East and one in Australia East region. We currently have the SOPHOS Vitural UTM9 Firewall in each region. The plan is to remove SOPHOS in a longer run and just migrate all clients to vMX100. so that our clients can access the office 365 resources on the Azure Cloud.

As we are the MSP for Microsoft Office 365 which is hosted on Azure as well. The confusion I am having is there is already some network behind the SOPHOS. How can I have the same network behind the vMX100. Can I have the same network behind vMX100 ? This is the cloud part.

 

Now on the remote sites. We will be having different clients some are already on SOPHOS at client site and new clients are either going to be on Meraki or maybe also can be on SOPHOS. The Site to Site VPN from these various clients are going to be part of the different organization in Meraki Dashboard. As vMX100 will be part of MSP ORGNANISATION while different clients are going to be part of different ORGANISATION in Meraki.

 

 

 

 

PhilipDAth
Kind of a big deal

Why would your clients want to use a VPN to access Office 365?  Why wouldn't they just access it over the Internet?  or did you mean something in Azure?

 

>How can I have the same network behind the vMX100

 

Yes.

 

The easiest way to make this work is (all in one Meraki organisation) deploy a VMX into each Azure region.  Then at each customer site deploy something like a Z3/MX67 also in VPN concentrator mode behind whatever firewall they already have (whether this is a Sophos or a Meraki MX in their own org).  Note that this special org only needs "enterprise" licencing, as it is only used for SD-WAN and nothing else.

On their existing firewall add a static route pointing to the MX in VPN concentrator mode for the remote subnets.

SCC
Building a reputation

@PhilipDAth 

Here is the high level diagram. This is the current setup. The Plan is to replace SOPHOS Firewall on Azure Cloud with vMX100

 

 

SOPHOS Network.png

SCC
Building a reputation

@PhilipDAth 

 

We had a call with Meraki and they have advised that Multi tennancy is not available on vMX or MX therefore. i will be good idea to look for the solutuon of Azure Virtual WAN and map the v-net.

 

https://documentation.meraki.com/MX/Deployment_Guides/Cisco_Meraki_MX_Branch_to_Azure_Virtual_WAN_De...

 

Any thoughts. This is looking promising to me.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels