Allow Incoming Traffic Through MX Firewall

DunJer622
Building a reputation

Allow Incoming Traffic Through MX Firewall

Greetings,

 

Here's the scenario...

 

Our office is essentially breaking up into 2 offices (state and corp).  The state office is effectively across a hallway from the corp office.  The state office has an MX84 and is using 2 WAN ports.  WAN1 is a Comcast feed (public ISP), while WAN2 is connected to our corp private switch (using 192.168.1.x).  The intention is to allow the state office to have a direct (1GB) connection to the corp server environment (avoiding the need to go over the Internet), while having their own Internet circuit available for streaming and web activities.

 

From the state office, I can fully see the corp network, able to directly connect to servers and phone controllers.  The issue is return traffic.  I'm not having any luck pinging the state firewall (10.20.x.x) from the corp network.  I've created the static routes for the state networks on the corp switches, but have made no progress.  The point is to be able to manage the state devices (printers/phones) from the corp network.  Can I make this work with the Meraki router?  Is this an issue with how Meraki routers handle NAT?

 

Do I need to create a VPN?  If I do, can I create a VPN that prefers going over WAN2 (if not exclusively)?

 

Thanks for any assistance.

 

Jeremy

 

 

 

5 Replies 5
GIdenJoe
Kind of a big deal
Kind of a big deal

That's a bit of a bad practice there.

 

You could get it to work a bit and painfully by adding a bunch of port forwards to get through the NAT.

 

It would however make more sense if you have another network between the state and corp that connects BEHIND the MX so you can route directly to them.

 

If it is like this that you use the 192.168.1.x for your corp environment and state has their own network I would suggest having a separate subnet between your coreswitch and the MX WAN2 and ACL that off so it can only go to the internet from there.  And have another subnet that connects between your core and state MX behind it and have static routes pointing between them and of course ACL'ing those off so you only have allowed traffic going back and forth.

DunJer622
Building a reputation

GldenJoe,

 

Thanks for the reply.  I'm not sure if I'm following on what makes this a bad practice.  The point would be to limit the incoming traffic on WAN2 to 2 private networks, if not select IPs.  Sure, if one of the internal corp devices got compromised, they'd have full access to the state devices, but they'd already have access to the corp devices and all VPN devices, so I'm pretty screwed at that point anyhow.  I'm just looking to avoid having to have the state office need to go over the Internet for a connection to our corp office, as it is simply across a hall.  Obviously, incoming traffic is blocked for a reason.  I'm not arguing.  I'm just trying to understand what makes it a bad practice.

 

As for your workaround, can you help me get a better picture of it?  Are you suggesting that I should have an MX behind an MX?  Currently, corp has an MX250 connected to an MS250.  The MS250 port that is connected to the WAN2 on the state MX is configured with the server VLAN as native and only the server and voice VLANs are allowed.  At this point, the desire is to have the state users be able to access the corp servers and the corp servers see the state printers, while the state phones see the voice controllers and the voice controllers see the state phones.  With your suggestion, are you saying for me to create a "state" VLAN, assign it to the MS250 port and have it connect to something other than the state MX WAN2 port?  I'm trying to draw it out, but I'm not seeing how it works.

 

Again, I'm not arguing, and appreciate the reply.  I'm just not quite understanding it.  Fortunately, the state office is not currently live, so I can test any design, as long as it doesn't negatively impact the existing corp network. 

 

Thank you,

 

Jeremy

ww
Kind of a big deal
Kind of a big deal

You can connect  both lan ports between the mx1 and mx2 with a New subnet. And route local traffic over that link.

DunJer622
Building a reputation

Thanks for the reply, ww.

 

So, are you saying to take the MS250 (switch) out of the equation?  As such, for example, I'd create the VLAN 22 with a subnet of 10.22.22.0/24 and MX IP of 10.22.22.1 on the corp MX250 and configure a LAN port on the corp MX250 as Trunk/Native VLAN 22/Allowed VLANs All (or limited to Server and Voice) and create the VLAN 22 on the state MX84 with a subnet of 10.22.22.0/24 and MX IP of 10.22.22.2 and a LAN port on the state MX84 as Trunk/Native VLAN 22/Allowed VLANs All.  I'd then add a static route (or routes) on the state MX84 that states that the next hop of the corp network(s) is 10.22.22.1, while adding a static route (or routes) on the MX250 stating that the next hop of the state network(s) is 10.22.22.2? 

 

Would I perhaps do /30 instead of /24 for the 22 VLANs, avoiding duplicate IPs that way?

 

Thanks,

 

Jeremy

 

 

ww
Kind of a big deal
Kind of a big deal

Yes. I would just set them  as access port vlan22 

Get notified when there are additional replies to this discussion.