cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

HPP
Comes here often

Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Hi All, I have Meraki MX 84 device with firmware version 14.39. I want to deploy in a small remote network where two separate ISP terminated at the edge firewall. So, I would like to know if I use LAN port instead of WAN or Internet port to register with the cloud as well Auto VPN feature will work. If I hide behind the two different ISP public IP address at edge firewall. Secondly, we also want to test failover means one ISP connection down at the edge firewall still it connects to the cloud as well as Auto VPN with Second ISP public IP as we have NAT with two ISP public IP address.
16 REPLIES 16
Highlighted
Head in the Cloud

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Cloud connection, as well as the AutoVPN should work, even if one of the connections goes down.

 

The public IP does not matter for these connections.

 

Your NATted IP´s shouldn´t be available anymore if the affected Public IP wents down.

Kind of a big deal

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

No.  The Meraki MX talks to the cloud via its WAN ports.

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

@PhilipDAth 

What is the reason behind to connect WAN Port necessary even private IP address allocated to the WAN port?

we have a kind of requirement that we require to connect meraki device WAN port to cascading switches and Layer 3 next hop is Edge firewall.  Have you tried to register and AutoVPN through LAN Port?

 

https://community.meraki.com/t5/forums/v4/forumtopicpage.kudosbuttonv2.kudoentity:kudoentity/kudosab...

 

 

Kind of a big deal

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

What are you getting to get the MX to do? 

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

@PhilipDAth 

 

I want to register Meraki 84 with the cloud through LAN port. Also same LAN port will be using for AutoVPN.

So would like to know whether it is possible through LAN port instead of WAN port as we are doing NAT at Edge Firewall. 

Here to help

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

As @PhilipDAth told you, MX uses it's wan interface for cloud communication.

Even though you redirect all traffic, wan interface are going to be needed.

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

@ Josper, Ok, but we could not place two WAN ports in the same subnet on standalone Meraki device. we want to attach the WAN side ports to Cascading switches ( daisy chain).

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Please find below diagram for more reference where I want to use LAN 1 and 2 physical port for LAN segment and LAN 3 and 4 Physical port for an outside segment. The Meraki deployment would be NAT mode as we could not use WAN 1 and WAN2 Port in the Same Subnet. So would like to know the LAN ports can be used for Auto VPN.

 

 

 Pune-SI-Meraki.jpg

Meraki Employee

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Why can't you just use your two WAN ports on the MX, to link to the VLAN or VLANs which are Internet-facing, on the upstream switches?   Both of these WAN ports can be in the same subnet, if they really need to be - I have had this working on my MX, as shown below.Dual uplink, same subnet.png

Here to help

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Sorry @HPP maybe I misunderstood you, but I don't see the need of the Lan interface for auto VPN in that topology.

Use the same vlan for communicating with isp routers (or define a new one just for meraki cloud control) on your Meraki wan interfaces and define your primary uplink preferences, sd wan policies, static routes.... 

 

Regards.

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

@GreenMan  Thanks for the reply, as you see in the diagram shared earlier in the post the Meraki box is using WAN1 connection as it passes through Active firewall where two ISP terminated on each firewall. So we did NAT the private IP address of WAN 1 Meraki IP address with both ISP public IP address dynamically. Secondly, configure the ISP failover condition at the firewall level. But Problem is Meraki registered with a dashboard via primary ISP public IP address. Once failover to secondary ISP it could not register with Secondary ISP IP address as cloud dashboard still trying to trace Primary ISP  public IP address. Even, Dynamic DNS  disabled on the Meraki box as well.

 

Kindly let me know the reason why Meraki could not register with Secondary ISP Public IP address immediately when Primary ISP down at Perimeter level.

 

Meraki Employee

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

OK - it would probably have helped if you included some information on your diagram, as to how VLANs are being used on the switches, to interconnect different components and ports (I'm still not sure why you have MX LAN ports linking to the upstream switches), but I think I understand your latest question:   basically the upstream PA firewall is changing the public IP address which the MX would be using over WAN1, as part of its own failover mechanism. 

 

This should work ultimately, I imagine, provided you have appropriate rules in the upstream firewall to allow the comunications from the MX to Dashboard and other Meraki cloud resources, via each public IP, but it will take time - and might even require an MX reboot.   By default, even discovering that the upstream primary path isn't providing Internet connectivity will take five minutes:   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

The MX then has to re-register with Dashboard, using the new public IP address.   How long did you leave it - and did you try rebooting the MX(s), as part of the diagnostics?

 

Basically - MX failover isn't designed to be based upon the MX having the public IP of a WAN port changed;  it's designed to make use of the fact that it has two ISP links, each with its own public IP (MX then checks in with Dashbord using both).

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

@GreenMan 

 

The upstream firewall allows connection on both ISP public IP address from WAN 1 Meraki connection. When the firewall failover to secondary ISP. Meraki could not able to register with secondary ISP public IP address even we allow time the Meraki box 10-15 minute to register.but it should be done quickly within 5 min as well as in AutoVPN case.

 

Also, we have not rebooted the box as a part of the troubleshooting step. Instead, we unplugged the cable of WAN 1 connection.

 

 

 

HPP
Comes here often

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

@GreenMan 

 

The upstream firewall allows connection on both ISP public IP address from WAN 1 Meraki connection. When the firewall failover to secondary ISP. Meraki could not able to register with secondary ISP public IP address even we allow time the Meraki box 10-15 minute to register.but it should be done quickly within 5 min as well as in AutoVPN case.

 

Also, we have not rebooted the box as a part of the troubleshooting step. Instead, we unplugged the cable of the WAN 1 connection.

 

 

 

Meraki Employee

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Try rebooting the MX.  My guess is that what you're seeing would be expected behaviour.

Building a reputation

Re: Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

If the LAN subnets exist in front of the MX then a one-armed concentrator is probably what you are looking for.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.