Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect - ZTNA Network Prerequisites & Troubleshooting

Prerequisites 

Edit section

The main prerequisites for clientless remote access to work properly are as follows. 

  • Connectivity to the application hosting sites 

  • Routing requirements 

Let’s understand each in detail. 

Connecting application hosting sites to the Fabric: 

There are several possibilities depending on the environment and the deployment of the application.  

  1. If the application is hosted on-prem, appropriate tunnel creation to the Secure Connect Cloud is needed. 

  • If it is a Meraki device, AutoVPN is the fastest possible way 

  • If it is a non-Meraki device, you will need to setup a standard IPsec site to site tunnel.   

  1. If the application is hosted in the Cloud, depending on the cloud provider and the connector being used in the Cloud,  

  • If AWS and vMX, AutoVPN tunnel is a way to go 

  • If AWS, Azure, GCP, or any other cloud provider, standard IPsec or SLVPN from the respective cloud provider’s gateway or virtual firewall is appropriate. 

To learn more about this, please click here

Routing requirements: 

  • Our proxy IP Subnet: 

    • 100.64.0.0/10

  • For Meraki routers (MX on-prem), the AutoVPN configuration should share the default route to the Secure Connect hub, which will cover this routing requirement. 

  • The default route for vMX in the Cloud (AWS or Azure) will generally go to the internet via the AWS gateway or Azure Gateway. To make the clientless ZTNA work, you must inject static routes of our proxy blocks that go through the vMX interface instead of the AWS or Azure gateway.   

  • Dynamic routing is not currently available for non-Meraki routers on the Application hosting site. Therefore, for return traffic, the application side router must have a route to our proxy blocks through the backhaul tunnel.