Meraki

Community

Complicated Branch setup for MX

Solved
Wmcgee
Conversationalist
‎Oct 2 2018 12:23 PM
‎Oct 2 2018 12:23 PM

Complicated Branch setup for MX

Hi, I have 40 offices setup with MX84 and 65 firewalls connecting back to HQ Data center MX 100.  Our offices are spread out all over the US and Canada Everything has worked flawless with mostly fiber internet service with cellular back up at the branches.

 

The problem: due to cost savings our CFO forced us to change all ATT fiber branch offices (about 20) to ATT NOD (network on demand)  the way it works is the branch office gets a fiber circuit that has local network access to our data center,  its just as if they were a building onsite with a fiber run.

 

So I would like to keep the firewall functions because its still going through ATT and who knows what other networks;  that being said I don't want transparent mode?

 

In testing we created a Vlan that all NOD sites will come into and have the routes in the core that give access and it works but the firewall blocks access going back to the branch side?  Should we just add NATs and forwards for the services that need to go back and forth?

 

Or are we looking at this wrong and should have the NOD come in on the WAN2 in the MX100?

 

We have a Meraki engineer schedule to help us with this but its a week away just wanting to see if anyone has any incite or has done this type of setup.

 

Thanks for any input

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 2 2018 3:17 PM
‎Oct 2 2018 3:17 PM

You need to use this setup:

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

The super important bit (because you are now using private IP addressing on the WAN interfaces) is that all the WAN interfaces of the branches and your DC must get nated to the same public IP address when they connect out to the Internet.

View solution in original post

2 Replies 2
jdsilva
Kind of a big deal
‎Oct 2 2018 12:36 PM
‎Oct 2 2018 12:36 PM

Yeh classic case of finance not understanding IT and making a poor, one-sided decision 😞

 

You could add NAT rules, to pass traffic through, but that's a huge pain in the ass to do inside your own network. 

 

There's a feature in beta called No-NAT. That allows you to use the MX more as a router by disabling NAT on specified traffic. It might be your best option here. But... Beta...

http://blog.brokennetwork.ca | @jdsilva
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 2 2018 3:17 PM
‎Oct 2 2018 3:17 PM

You need to use this setup:

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

 

The super important bit (because you are now using private IP addressing on the WAN interfaces) is that all the WAN interfaces of the branches and your DC must get nated to the same public IP address when they connect out to the Internet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.