Hello everyone,
I am new to the Meraki security appliance world and recently replaced our aging ASA with an MX250. One of our non-meraki site-to-site VPN connections with an outside vendor is not working because they are telling me that we are sending all our internal subnets (a lot) and that they overlap with other customer subnets they have already. We tried limiting to just the single internal subnet we need to pass using the “Site-to-site outbound firewall” but I guess that isn’t the same thing as having them defined.
In the old ASA we could easily define the subnets we were passing. Is there a way to do this with the Meraki MX250 that I’m just not seeing?
Unfortunately it is defined in the vpn settings local networks. Any networks enabled there will be used. To do this with meraki you would need a dedicated MX for third party vpn connections and then only specify the subnets you want on the peers.
Just to be clear, this is not a MX250 limitation, but rather the way it works on all MX appliances when talking to non-MX remote devices.
- Since you are pinning up this IPSec on an MX on your side, you are clearly using a policy-based IPSec VPN.
- In a policy-based VPN, you define the local subnets you wish to send to them in the “Private subnets” field. You do not have to list all network ranges avaiable in your site, but rather only need to include the ones you wish to make available to the far end.
- Do you actually have clients from all over your enterprise trying to talk to endpoints on the remote side of this VPN? Is the traffic bi-directional, or all Your side → Remote side?
Since you do not have a routing protocol established with the remote side of the VPN tunnel, you are not advertising routes to them, but if you put all of your local subnets in the “Private subnets” field, you are asking the remote side to treat all of that IP space as if it belongs to you. In the case of overlapping subnets, this is clearly untenable. Typically these problems are overcome by using source-NAT on your side of the VPN tunnel so you can hide your clients behind a subnet range that does not overlap with the remote party. You can do this with an MX, but not the same MX terminating the IPSec tunnel. If you truly have clients living in IP space which overlapps with the remote network, you’ll either need another MX or some other device you can use as a source-NAT for your clients.
Are you specifying the private subnet(s) in the non-Meraki VPN Peer options? If you are doing so, and you are still sending all your other subnets, then I would recommend opening a case with Meraki to see if they can edit on their side (may not be possible).
From a paranoia standpoint, I would work with the vendor to come up with another option. Even if you may parse the private subnets down to only what is needed, the fact that overlapping subnets with other customers is a concern of theirs means that in the wrong circumstance other customers could reach your network.
Why not take ask the other side to add all of your subnets? Anyway you are filtering traffic using your vpn outbound firewall rules. Remote side also can follow the same and pretty much all the vendors support this.
OP mentioned the other side already has his networks for other customers