Meraki Behind a Palo Alto

EdwardMannning
New here

Meraki Behind a Palo Alto

I want to put the Meraki behind a Palo Alto firewall and I need to know what ports I need to open. I try this a few times and my VPN to my  office would not work. If I put it behind a ASA everthying works fine.

 

Does anyone know ? 

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

browse to your dashboard. 》 help 》 firewall info

Bigbub
Conversationalist

Hi There,

 

Here's the link to the required ports to open on the Palo Alto.

 

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

 

BB.

ww
Kind of a big deal
Kind of a big deal


@Bigbub wrote:

Hi There,

 

Here's the link to the required ports to open on the Palo Alto.

 

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

 

BB.



its not for every org the same, so best is to check on the dashboard where the mx is added

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are really unlucky, and it is just AutoVPN having the issue, you can configure a specific port to be used and port forward it to the MX.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

Hello. Say you have a Hub-Spoke network consisting of both a Private IP MPLS network and Public Internet network this and the Hub has a Palo Alto NG firewall

 

VPN Automated NAT traversal will not work as the PA randomly changes the outbound VPN UDP port. Therefore the remote peers keep sending the to the detination Hub IP but with changing the VPN NAT destination port matched. The PA sees changing ports from the same IP address an intrusion attack and blocks.

 

VPN Manual port forwarding allows only one Public IP:Port to be set. Therefore the remote peer that has a Private IP MPLS will not attempt to connect to the Hub MX using its internal IP address.

 

The solution was to create a 1-to-1 NAT on the Hub PA (specific external IP to Hub MX IP (real or virtual) and allow all Meraki VPN UDP ports

KamaalJema
New here

We had to set the static IP and port in the site-to-site settings as our Palo wasn’t allowing dynamic ports for the VPN connection. This forced the Meraki cloud VPNs to only use that specific port and IP to connect to the HUB. I’m just waking up I’ll send the relevant articles in a bit.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.