Meraki Client Vpn Subnet
- Meraki Client Vpn Subnet
- Meraki Client Vpn Subnet Card
- Meraki Client Vpn Subnet Tool
- Meraki Client Vpn Subnet Software
The Client VPN subnet is configured via Configure Client VPN. Take note of this network address as it will be used to implement Firewall rules for controlling traffic related to that subnet. In the following scenario, our Client VPN subnet will be (172.16.1.0/24) Configuring Addressing & VLANs subnet (s). I'd like to allow clients on the Client VPN subnet (.9) to freely communicate with clients on our main subnet (.10). I tried creating a static route but the Z1 will not allow me to make one that overlaps with the Client VPN subnet. Right now I am add static routes client-side and that works until a restart occurs. VPN/RDP to a wireless client in different subnet Hello, kind of an odd one, and i know the issue is the WLAN zone needs to talk to the VPN zone as they are totally diff subnets, but i have a user outside a meraki network who VPNs in and needs to rdp to a wireless windows10 client.
Using an MR access point, if a client connects to an SSID set for NAT Mode, it will be put on an isolated 10.0.0.0/8 network that can then be granted limited access to the local LAN. This can cause conflicts if a 10.x.x.x addressing scheme is in use elsewhere on the network.
This article describes how a conflicting subnet between NAT Mode's Meraki DHCP and a site-to-site VPN subnet is handled, as well as recommended solutions.
Overview
In the figure below, a NAT Mode client with the address of 10.44.90.223 (assigned via Meraki DHCP) is attempting to connect to the corporate network that is using a private addressing scheme of 10.0.0.0/8. A conflict occurs because there is an overlap of local and remote subnets.
Note: Site-to-site VPN is discussed in greater detail within this article.
Conflict
Meraki Client Vpn Subnet
Sometimes a conflict may occur between the client’s local IP configuration and the IP configuration of the remote private network. This occurs if the client’s local network and the remote private network share overlapping subnets. In the figure above, the Site to Site VPN client has retrieved its 10.0.0.0/8 address from the MR Access Point running NAT Mode/Meraki DHCP. The last three octets of the wireless client's IP address are generated by taking the client's MAC address and running it through a hashing algorithm. If the remote VPN site is using a 10.0.0.0/n (of arbitrary size) private addressing scheme, this may cause a conflict where a wireless client has the same IP address as a client on the remote site. This would prevent the VPN client from connecting to the remote site entirely.
Note: The conflict of overlapping subnets will persist with either 'full tunnel' or 'split tunnel' Site-to-site VPN.
Solution
When working with site-to-site VPN, it is recommended that a less common client address range is configured to mitigate any chance of addressing conflicts (172.16.0.0/14, 172.16.20.0/24, 172.16.25.0/24, etc.) This means that if the remote site is using a 10.0.0.0/n network, VPN clients cannot associate with a NAT Mode SSID, and a non 10.0.0.0/n addressing scheme must be created/served to clients attempting to communicate with the remote site. In this circumstance, it may be beneficial to use a Bridge Mode SSID, configured to put clients on an isolated VLAN that can be secured as necessary with firewall rules.
Note: In the event that you are not using Meraki DHCP and you are still having a conflict regarding overlapping subnets with the remote site, Cisco Meraki Devices can support VPN translation. Please contact Cisco Meraki Support if you have any inquires regarding the VPN translation feature.
Additional Resources
Types of Routes
MX Security Appliances support the configuration of several different types of routes, as detailed below.
Meraki Client Vpn Subnet Card
Directly Connected
Directly connected routes are subnets defined in the Security & SD-WAN > Configure > Addressing & VLANs page of Dashboard. This is true of configurations leveraging a number of VLANs defined on an MX, or those that utilize a single subnet configuration with VLANs disabled.
Static routes are not directly connected.
Meraki Client Vpn Subnet Tool
Client VPN
The client VPN subnet is configured under the Security & SD-WAN > Configure > Client VPN page of Dashboard. There is only ever a single client VPN subnet on an individual MX network.
While client VPN utilizes the IPsec protocol to form a secure tunnel with the end device, the client VPN subnet is treated differently from routes to non-Meraki VPN peers.
Static Routes
Static routes are configured on the Security & SD-WAN > Configure > Addressing & VLANs page of Dashboard. Configuration of static routes is only possible while the MX is operating in Routed mode.
Static routes are used to communicate with subnets or VLANs that are not defined or 'owned' by the MX, but are reachable through another layer 3 device on the network. Static routes require a next hop IP address be specified within the scope of a configured VLAN or subnet to be able to successfully route traffic to another layer 3 device.
Static routes are used to define subnets accessible through the LAN of the MX.
AutoVPN
Cisco Meraki's AutoVPN can be configured on the Security & SD-WAN > Configure > Site-to-site VPN page of Dashboard. AutoVPN is a layer 3, IPsec-based site-to-site VPN. The mechanics are outlined in this white paper.
An MX Security Appliance configured to participate in an AutoVPN topology will automatically create routes for subnets included in the AutoVPN topology.
Non-Meraki VPN Peers (Other IPsec)
Non-Meraki VPN peers are configured on the Security & SD-WAN > Configure > Site-to-site VPN page of Dashboard. These VPN peers are connected to using IPsec. If an MX is configured to establish a VPN with a non-Meraki VPN peer, the MX will also have routes to the private subnets defined for that VPN peer.
NAT
Meraki Client Vpn Subnet Software
The MX Security Appliance can be configured to operate in Routed mode, from the Security & SD-WAN > Configure > Addressing & VLANs page of Dashboard. When in Routed mode, the MX can be configured with multiple LAN subnets and static routes. If a route for a particular subnet does not exist on the MX then in this mode, the traffic is NATed and sent out across an Ethernet connection into one of the Internet interfaces, or out a cellular connection.