As the title states I have a customer I'm doing some work for and need to migrate their older 5505 and 3900 series router to a Meraki MX appliance. Due to Meraki not currently supporting anyconnect VPN and the customer wants that functionality a 5506X was purchased to handle that role exclusively.
So here's where I would either like some experience from someone who has done this in the past or to bounce some knowledge around to help me understand or better understand what I'm going to attempt to do and know if it works or not.
The customers VPN has a hostname for clients to connect to in some sort of "vpn.abc.com" format which their employees already use. Now to my knowledge when you typically try to connect to the VPN using the FQDN it would perform the DNS functions for you and automatically connect to the port facing outside for allowing the SSL VPN to establish a connection. Here's where my question comes into play as the 5506X is not the outside facing device but is sitting behind the MX in a subnet of it's own.
If I am to have the network as Internet>MX>5506X all I would need to do the following;
1. Assign an IP to the outside interface of the 5506X which falls into a private IP subnet assigned by the MX. (example 192.168.1.1 = MX 192.168.1.2 = 5506X)
2. Perform a 1:1 NAT translation on the MX stating that 192.168.1.2 will use a specified external IP with specified ports for SSL VPN to connect.
I guess where my biggest question comes into play will be, where is the DNS name assigned? As this is my first time standing up AnyConnect on an ASA would the FQDN be applied to the 5506X in the cert? Or would I have to place the hostname up on the MX so it will translate and direct the clients to the 5506X to complete the connection? Opposed to someone having to put in something like 20.154.1.30 every time they want to connect to the VPN.
Thanks!
No comments:
Post a Comment