Meraki

Community

Client Firewall behind the MXs

Solved
JPScolar
Here to help
‎Jun 8 2023 7:21 AM
‎Jun 8 2023 7:21 AM

Client Firewall behind the MXs

My client  wants to keep its Watchguard firewalls behind the MX appliances because he wants to control its network VPN remote access for its organization while benefiting of the SD-WAN advantages.  For this he will need a Public Static IP address  for the firewall but I think this is difficult to implement behind the MXs. In addition, at its DC facility,  we will have two MXs in High-Availability mode so changes on the IP address while on failover mode make break the Firewall VPN tunnels.  Any advise on the best possible architecture to cope with this situation?   Thank you for your help and comments.   

Juan-Carlos Perez
Labels:
0 Kudos
1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 3:34 PM
‎Jun 8 2023 3:34 PM

@JPScolar If the client only wants the SD-WAN features, then put the main site MXs in single ended concentrator mode behind the Watchguards.  We have our datacentre MXs set up this way (with another vendor's enterprise edge firewalls).  Less disruption and works very well. 

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 9:07 AM
‎Jun 8 2023 9:07 AM

You can create a link network between the MX and the Watchguard and in the MX create a nat for the Watchguard IP to the client VPN port.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 1:45 PM
‎Jun 8 2023 1:45 PM

Do you have a block of IP addresses (like a /28)?  Can you plug the Watchguard directly into the Internet connection, rather than behind the MX?

 

More than likely, he doesn't need an entire static IP address.  The Watchguard will need specific ports forwarded to it.  If you are using a VIP address on your MXs you could forward the ports from that to the Watchguard.
If you have a block like a /28, you could probably 1:1 NAT an entire IP.

 

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Jun 8 2023 3:34 PM
‎Jun 8 2023 3:34 PM

@JPScolar If the client only wants the SD-WAN features, then put the main site MXs in single ended concentrator mode behind the Watchguards.  We have our datacentre MXs set up this way (with another vendor's enterprise edge firewalls).  Less disruption and works very well. 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.