Letting fixed IP addresses going through our MG41E or MG21E gateways?

RobustMeraki
Getting noticed

Letting fixed IP addresses going through our MG41E or MG21E gateways?

Hi Team, this is a question often asked us by customers when we suggest them to use MGs in areas where they do not have an Internet connection possibility.

 

Is there a way to let these fixed IP Addresses from customer through? Any infos on that?

9 Replies 9
DarrenOC
Kind of a big deal
Kind of a big deal

hi @RobustMeraki , can you elaborate a little here on what you're trying to achieve?  Fixed IP's of what devices?  Whats the topology?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RobustMeraki
Getting noticed

unfortunately I do not have this information. Customer wants to be able to use some fixed IP addresses passing through the gateway and we are planning to offer him access points that can be used by around 100 employees. There will be no internet connection but only the gateway offered as WAN.

 

In what way they will be using these Fixed IP addresses is something we do not know.

rhbirkelund
Kind of a big deal
Kind of a big deal

If I understand your questions correct, your customer wants to reach certain IP addresses at Site A from Site B.

An MG is just a Cellular Gateway. It provides internet connectivity over a Cellular Network, and will require a cellular date subscription with an ISP. Most likely, the subscription will be subjected to CG-NAT, thus you will not be able to forward fixed IP assignments over the cellular network. If you need to reach some IP addresses at Site A, from Site B over the Cellular Network, you'll need a firewall of some kind which will provide a VPN connection between the two sites, e.g. a Meraki MX at Site A and Site B.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
RobustMeraki
Getting noticed

Hi @rhbirkelund , Thank you for the answer. The customer may have a Sophos Firewall on Site A and on Site B there is no other Internet connection (WAN) then the MG Gateway because it is a remote site. There will be an MX85 connected after the MG41E. Can we in this scenario also get a VPN connection with Sophos and MX85 (that has MG before it) and let the IP Addresses pass through the Site B network?

rhbirkelund
Kind of a big deal
Kind of a big deal

Most likely, yes. You'll have to configure a Third-Party Non-Meraki VPN.

 

However, you'll need to work with your cellular ISP to provide you with an APN that is not subjected to CG-NAT. Otherwise you might not be able to build a VPN tunnel.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
PhilipDAth
Kind of a big deal
Kind of a big deal

Building a site to site VPN from the MX85 (behind an MG) to a Sophos is likely to be a NIGHTMARE.  I would avoid this at all costs.

 

If you want a reliable VPN, you'll need to sell them a second MX to put behind the Sophos, and run that unit in VPN concentrator mode.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

Then use Meraki AutoVPN to create the VPN.

RobustMeraki
Getting noticed

Would it be better that they use their spare Sophos behind MG instead of MX85 and connect their Sophos in the other country together? The only concern is how MG will be letting the connection through.

Frank-NL
Getting noticed

Hi, that would be an option yes. The fixed IP address depends on the subscription at cellular provider. MG is just pass-through

DarrenOC
Kind of a big deal
Kind of a big deal

I know its dangerous to make assumptions but i like to live dangerously 😎 - i'm assuming they may have some endpoints (PC's/phones etc) that are currently statically assigned IP's....just as long as you define their IP and DHCP schema's accordingly then there's no reason why they couldn't be allowed access through the MG's.....!

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.