Meraki

Community

Meraki Behind a Palo Alto

EdwardMannning
New here
‎Aug 28 2018 9:07 AM
‎Aug 28 2018 9:07 AM

Meraki Behind a Palo Alto

I want to put the Meraki behind a Palo Alto firewall and I need to know what ports I need to open. I try this a few times and my VPN to my  office would not work. If I put it behind a ASA everthying works fine.

 

Does anyone know ? 

Labels:
0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Aug 28 2018 9:16 AM
‎Aug 28 2018 9:16 AM

browse to your dashboard. 》 help 》 firewall info

Bigbub
Conversationalist
‎Aug 28 2018 10:16 AM
‎Aug 28 2018 10:16 AM

Hi There,

 

Here's the link to the required ports to open on the Palo Alto.

 

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

 

BB.

0 Kudos
In response to Bigbub
ww
Kind of a big deal
Kind of a big deal
‎Aug 28 2018 10:21 AM
‎Aug 28 2018 10:21 AM

@Bigbub wrote:

Hi There,

 

Here's the link to the required ports to open on the Palo Alto.

 

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

 

BB.


its not for every org the same, so best is to check on the dashboard where the mx is added

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 28 2018 11:48 AM
‎Aug 28 2018 11:48 AM

If you are really unlucky, and it is just AutoVPN having the issue, you can configure a specific port to be used and port forward it to the MX.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

0 Kudos
In response to PhilipDAth
ColinKUK
Conversationalist
‎Jul 28 2022 1:27 AM
‎Jul 28 2022 1:27 AM

Hello. Say you have a Hub-Spoke network consisting of both a Private IP MPLS network and Public Internet network this and the Hub has a Palo Alto NG firewall

 

VPN Automated NAT traversal will not work as the PA randomly changes the outbound VPN UDP port. Therefore the remote peers keep sending the to the detination Hub IP but with changing the VPN NAT destination port matched. The PA sees changing ports from the same IP address an intrusion attack and blocks.

 

VPN Manual port forwarding allows only one Public IP:Port to be set. Therefore the remote peer that has a Private IP MPLS will not attempt to connect to the Hub MX using its internal IP address.

 

The solution was to create a 1-to-1 NAT on the Hub PA (specific external IP to Hub MX IP (real or virtual) and allow all Meraki VPN UDP ports

KamaalJema
New here
‎Aug 5 2022 12:54 AM
‎Aug 5 2022 12:54 AM

We had to set the static IP and port in the site-to-site settings as our Palo wasn’t allowing dynamic ports for the VPN connection. This forced the Meraki cloud VPNs to only use that specific port and IP to connect to the HUB. I’m just waking up I’ll send the relevant articles in a bit.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.