Meraki

Community

DMZ without an extra Static IP address.

Trunolimit2
Conversationalist
‎Dec 7 2021 11:53 AM
‎Dec 7 2021 11:53 AM

DMZ without an extra Static IP address.

Is having an extra static IP the only way to do a proper DMZ using an MX100?

 

 

0 Kudos
4 Replies 4
Ryan_Miles
Meraki Employee
Meraki Employee
‎Dec 7 2021 12:02 PM
‎Dec 7 2021 12:02 PM

What's your use case? What specifically are you attempting to do?

 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
Trunolimit2
Conversationalist
‎Dec 7 2021 12:18 PM
‎Dec 7 2021 12:18 PM

You're gonna think it's crazy.

 

So we have this server at site A. We are using meraki client VPN to allow remote users to access the Server on site A Authenticating through an LDAP server.

 

Site A is being shutdown so we are going to bring the server to site B temporarily. Our end goal is to move the server to the cloud and screw having a physical server. But we need time to do that. The problem is that site B is using the VPN with meraki authentication. We want to move the server to site B without having to have everyone change their VPN settings and without causing issues with site B's VPN users.  

 

So I was thinking I would take the MX100 from Site A and put it behind the MX100 at site B but on a DMZ so users can utilize both VPN options. 

 

There probably isn't anyway to do this without getting a separate static IP for the Site A MX100 huh?

0 Kudos
In response to Trunolimit2
Brash
Kind of a big deal
Kind of a big deal
‎Dec 7 2021 1:08 PM
‎Dec 7 2021 1:08 PM

Your main issue I can see is that both MX's will use the same external port for Meraki client VPN, so unless you have multiple external IP's, there's no way you can get both VPN's working from the same IP.

Is the issue here that you have users who are configured to VPN to Site-A that you don't want to re-configure for Site-B, or are you just trying to avoid changing the IP on the server?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 7 2021 1:03 PM
‎Dec 7 2021 1:03 PM

It looks like you have a little bit of time to plan this out.

 

If you are using the Windows client VPN, change all the users to connecting to a DNS name, such as vpn.company.com.  Then one day you can update this to point to any other site or IP address you want and (assuming the MXs are using the same settings) users will continue to connect and not know any differences.

Another simple option is to simply configure an additional client VPN connection on their machines, and then ask them to simple start using the new connection.

 

If you are using AnyConnect, you can create "site a" and "site b" in the drop-down list of connection options, and then ask users to simply start using the new site connection.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.