Cisco Meraki – allowing client VPN access to other (VPN) sites

Posted by on 18 Feb, 2015 in Cisco Meraki, Firewalls, Security | 0 comments

Setup:

  • Cisco Meraki MX100 (connected with a static external IP)
  • Juniper Netscreen SSG5/NS5GT (connected with a static external IP)

The above two sites are connected to one another using the guide in my other post which can be found here

 

If you use the Cisco Meraki MX Firewall to connect to third party firewalls such as Juniper Netscreen’s you will notice that clients who are connected to the Meraki VPN client won’t have access to VPN sites even if you allow them access on the Meraki’s Site-to-Site VPN page. This is because to need to add the Client IP ranges to the third party firewalls.

 

If you are using a Juniper SSG5 or similar you need to add the Meraki Client’s internal IP ranges to the following places in the Juniper Firewall:

  • On the Proxy ID for the VPN (VPNs > Autokey IKE > Proxy ID) you need to add the internal IP ranges of the Meraki Client
  • You need to create a untrust address for the Client VPN IP ranges in Policy > Policy Elements > Address > Lists.
  • Once the addresses above have been created you need to add the addresses to the existing policies for the juniper to the Meraki and vice versa.
  • Finally you need to create a route to the destination using the same tunnel interface as the existing VPN in Network > Routing > Destination.

This will allow the users on the client VPN to access the site connected with a VPN between the Meraki and Juniper Netscreen.

Leave a Reply

Your email address will not be published. Required fields are marked *