Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About sparrowhawk
sparrowhawk
Here to help
Member since May 7, 2019
Jun 28 2024
Community Record
15
Posts
4
Kudos
0
Solutions
Badges
Jun 27 2024
11:09 AM
Well, the routes are correct according to my colleague who looks after the AWS side of things. I think we need to look at all angles. I was hoping there would be a guide that I could work through but I guess there are too many variables. Thanks for your help anyway, much appreciated.
... View more
Jun 27 2024
9:38 AM
I'll ask my devs about that. I don't have access to the AWS console, unfortunately. Do you think that traffic is not being directed back along the correct route? We all thought that the issue is down to the MX config, but you seem to think the issue is in AWS, yes? I want to clarify if we need to shift our focus, that's all.
... View more
Jun 27 2024
7:58 AM
Hi @alemabrahao thanks for your reply. We have set up a static route between AWS and the OpenVPN client IP range, and I'm told that is working. Can you expand on the source/destination checking? My dev team didn't understand that part. Thanks.
... View more
Jun 27 2024
7:22 AM
We have set up a S2S VPN between our local subnet on our MX100 and AWS. This is working and hosts in AWS can be reached from the LAN. We have an OpenVPN server on the local subnet but when clients are connected to this VPN, they can't reach any hosts in AWS. They can reach everything in the LAN. Can anyone point me to a guide that might help me troubleshoot why this isn't working? Thanks.
... View more
Oct 16 2019
6:15 AM
Hi lpopejoy, that's interesting but I don't think my managers would allow me to use an unsupported feature in our environment. It may help others though, so thanks for posting.
... View more
Oct 16 2019
1:44 AM
I've not managed to crack this problem yet and I'm struggling to form a clear plan. Changing our IP address range is not possible, so I have to find an alternative way forward. I have an MX60 here and my thoughts were that if I can perform the VPN termination and NAT on the MX100, then I'll split the tasks. Do you think it feasible to perform the VPN termination on the MX100 then pass the intermediate subnet over to the MX60 to be NATed to our local subnet? If there's a guide out there on how to set this up that would be even better. Thanks
... View more
Oct 6 2019
2:36 PM
Hi Philip, thanks, that makes things clearer. I'm not sure what the implications of using 192.168.2.0/23 would be as we are already using 192.168.5.0 through 192.168.6.254 as our DHCP range and we have other sites using 192.168.3.0/24 and 192.167.7.0/24. This sounds like too big a change to make in a production environment so I may just suggest to my colleagues that we buy another firewall that is capable of using NAT for a VPN. My inability to link our network to our client's is now affecting income streams, so the argument to drop some cash is there. Thanks
... View more
Oct 6 2019
1:38 PM
Our current local VLAN is 192.168.0.0/21. The remote site also uses this subnet. However, we only actually use 192.168.2.0 and above, so I thought I could simply change our subnet to 192.168.2.0/21 and that would free up the first 512 addresses to route to the remote site. When I make the change on the MX though, it stays at 192.168.0.0/21. Can anyone help me understand where I'm going wrong? Thanks
... View more
Oct 3 2019
12:25 PM
Hi Roger, an MX100 our side and we've tried a Sophos XG box and a Juniper at the client's site. Neither worked.
... View more
Oct 3 2019
12:23 PM
Hi Philip, the other end has configured NAT but this didn't work. They expressed the same opinion, that we need to configure NAT at our end as well. However, none of the Meraki engineers who have tried to help have suggested this and it appears not to be possible. The servers that need to talk to each other cannot easily be moved to a DMZ unfortunately. One is a production SQL server belonging to our client, the other an RDS server that our staff use to run a data analysis tool. So I think that we will need to reduce the scope of our subnet. It's not that big a deal, but it would have been a lot simpler if we could have done the job with NAT. And what happens if we need to set up more VPN links to other clients and suppliers in the future? There's a high chance that there will be a clash that can't be got around this way. So Meraki kit seems very limited in this respect. Meraki to Meraki VPN doesn't have this issue though, which is interesting.
... View more
Oct 3 2019
9:20 AM
Hey Nolan, don't feel too left out. I've spent over three hours on support calls with four different Meraki engineers over this and none of them was seemingly aware of this fact either. LOL
... View more
Oct 3 2019
7:12 AM
1 Kudo
Hi Robin, that was one thing I did consider. However, after further discussion, we've decided that we can reduce our local subnet as we are using a /21 mask so have plenty of addresses spare. Thanks
... View more
Oct 3 2019
2:57 AM
Hi Roger, thanks for your reply. That's what I thought too. The other site have done so on their Sophos XG box but as you say, I'm not sure how to assign a NAT rule to a VPN tunnel.
... View more
Oct 3 2019
1:53 AM
Is someone able to tell me how to configure an MX firewall to enable a site to site VPN between two organisations with the same IP address ranges? Support have not been able to advise on this. I suspect we need to create an internal network that is part of the existing subnet or maybe reduce the existing range? I'm not a networking engineer so my knowledge in this area is limited, Thanks.
... View more
May 7 2019
8:25 AM
3 Kudos
Security Center logging is now down to two weeks. Are sales of Stealthwatch Cloud too slow for Cisco I wonder?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 4545 | |
| 1 | 8930 |
© 2025 Cisco Systems, Inc.
