cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1661
Views
0
Helpful
3
Replies

DMVPN Hub Behind Meraki MX

mloraditch
Level 7
Level 7

So we are transitioning to Meraki gear, but still have a sizable DMVPN Deployment. My Hub is currently NAT'd behind an ASA. Meraki MXs will not pass ESP traffic natively.

Per the docs you have to use NAT-T https://documentation.meraki.com/MX-Z/Other_Topics/Using_VPN_through_an_MX_Security_Appliance

Can I do that with a DMVPN hub somehow? Will some trickery and using a loopback to essentially double NAT it work? The hub doesn't currently run any nat.

I have some ideas on the config but if anyone has done this would appreciate some feedback!

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

I have done exactly this.  I put the DMVPN hubs and the new MX's side by side (I used the MXs in NAT mode - not on a stick).  Each had their own public IP addresses mapped to them.

As we migrated each site across we changed the internal routing so that the remote site was reachable via the MX hubs instead of the DMVPN hubs.

I don't think I would use the approach of mapping a single public IP address to both DMVPN and Meraki.  Meraki is an independent firewall in its own right.  I would rather install a temporary Internet circuit and plug it into the Meraki kit for the duration of the migration than try and share a single public IP address.

But that's me, I like nice simple predictable migrations.

I can definitely put the hub directly on the DMZ. Was just hoping to avoid that. Makes some routing tricky in certain scenarios. But it is what it is. The migrations could be multi year affairs as equipment reaches EOL.

Thanks!

Why not put the "WAN" interface in the DMZ, and the internal interface somewhere else that is convenient?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: