Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access to the WAN router that is in front of the MX95

NetC
Conversationalist
‎Dec 5 2022 12:40 PM
‎Dec 5 2022 12:40 PM

Access to the WAN router that is in front of the MX95

We have configured an MX250 with a few switches in our test setup at our corporate headquarters to connect to our remote offices. This has been completed and is working.

 

Now I want to access our external router from the LAN. In Germany, we need an additional end device for our VDSL connections, which in this case is a Fritzbox.

 

This device connects to the internet. On the LAN port, the device assigns an IP address via DHCP. The WAN interface of the MX95 was connected to the LAN.

 

Everything works from both sides. Firewall, WLAN, DHCP server.
One thing I can not get right. I want to access this Fritzbox at the remote site. This has a web interface and that can not be accessed from any network. How do you do that?

 

Remote Office: Clients -> MS250-24P -> MX95 -> FritzBox -> Internet

Labels:
0 Kudos
Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 5 2022 12:50 PM
‎Dec 5 2022 12:50 PM

You need to configure a NAT:

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Dec 5 2022 1:15 PM
‎Dec 5 2022 1:15 PM

You want to acces it from the wan side?.

 

Or just from lan on the site itself. Because this should work just going to the lan ip of the fritzbox. (Make sure that wan mx subnet is not learned in vpn routing table,  or blocked at a fw rule)

0 Kudos
Subscribe
NetC
Conversationalist
‎Dec 6 2022 3:03 AM
‎Dec 6 2022 3:03 AM

I want to access from LAN. Of course, the best would also be access to the Fritzbox from the company headquarters.

 

The hint with the routing was an important hint. In the routing tables was still set a network that is sent via VPN. Therefore it could not work. After the change I can access the Fritzbox from the client in the same network.
Of course it would be best to be able to access the device from the company headquarters via NAT. But that would be an outbound NAT which I can't configure that way.

 

Fritzbox: 192.168.188.1/24
MX95 WAN: 192.168.188.20/24
MX95 LAN: 10.248.0.1/24
client: 10.248.0.10/24

 

Client at the company headquarters: 192.168.112.20/24

 

Is it possible to define a virtual IP that sends the connection to the WAN via NAT like 10.248.0.2 (TCP443) to 192.168.188.1 ?


In the NAT settings the error appears that this network is not configured on the LAN side. It looks like only one InboundNAT is working.

 

We want to connect 300 sites. Therefore, a connection to the "real" WAN router would be very helpful.

0 Kudos
Subscribe
In response to NetC
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 6 2022 3:13 AM
‎Dec 6 2022 3:13 AM

Sorry buddy, NAT will not work in that case (you don't have a public IP on MX wan), and for your case, It's not required.

 

Do the other sites also have an MX? If yes you just need to use auto VPN, If not you have to configure non-Mreaki S2S VPN.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

 

https://meraki.cisco.com/technologies/auto-vpn

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
NetC
Conversationalist
‎Dec 6 2022 3:18 AM
‎Dec 6 2022 3:18 AM

All sites are connected with AutoVPN. Currently I have only one site for testing.

0 Kudos
Subscribe
In response to NetC
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 6 2022 3:22 AM
‎Dec 6 2022 3:22 AM

Have you enabled the target networks to participate on VPN?

 

alemabrahao_0-1670325757489.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
NetC
Conversationalist
‎Dec 10 2022 12:01 PM
‎Dec 10 2022 12:01 PM

I will try to show the network as it exists in our company. Everything is already set up and works except for the connection to the Fritzbox (this is the red dashed line in the picture). AutoVPN works without problems and this also with MultiWAN.

 

Each site has its own network, but the IP to the Fritzbox is not possible. Even if each device had a different IP with different subnet, I can't get the connection through Meraki.

 

My only current solution for this is a Raspberry which currently does nothing but NAT to Fritzbox. So I can also reach the Fritzbox from the company headquarters.

 

I wish Meraki could solve this without any additional devices.

 

MerakiNetwork.png

0 Kudos
Subscribe
In response to NetC
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 10 2022 2:14 PM
‎Dec 10 2022 2:14 PM

I don't know why are you trying to use NAT, the things on meraki are simple. You can communicate your networks on SD-WAN, I just need to be sure that the networks are enabled on VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 10 2022 2:17 PM
‎Dec 10 2022 2:17 PM

By the way, if you are connecting the Fritzbox,s LAN port on Meraki WAN port, It will not work.

WAN port doesn't communicate with LAN segment.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Crocker
Building a reputation
‎Dec 13 2022 3:04 PM
‎Dec 13 2022 3:04 PM

I've done something similar to this, but use it to get into the web interface of the upstream ISP router/modem/whatever  acts as the internet gateway for the MX/Z3 devices at our remote branches. At the remote site:

 

SD-WAN & Traffic Shaping -> Local Internet Breakout -> Create a rule that excludes TCP 80 (or TCP 443, or both) destined for 192.168.1.75 (or whatever the FritzBox's DHCP address is).

 

Then, remote into a workstation/server at the remote site - we use this as a proxy to connect to HTTP(S)://192.168.1.75. The host-specific (or subnet-specific) VPN Exclusion rule makes sure that the traffic targeting 192.168.1.75 on whatever ports we defined doesn't get wrapped up in the AutoVPN and dead-ended at your core.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.