cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exit Hub for specific IP

Getting noticed

Exit Hub for specific IP

Hi there, 

 

Been using Meraki for nearly 2 years now and very happy with the kit. 


We have a MX84 in a datacentre with IP a.a.a.a. We have a number of other MX and Z1 in our organisation. Site to Site is working great, however what we would like to do is for specific IP address, b.b.b.b we would like to route all traffic destined for that IP through the MX84. 


For example, a client on network 2 behind a MX65, when they try to access b.b.b.b they appear from the MX84 device and not the IP address of the MX65 WAN. Our client (who runs b.b.b.b) blocks their equipment for public IPs unless in a whitelist. Some of our MX/Z1 are on dynamic IPs, so I am hoping to route through the MX. 

 

I don't want want to route *all* traffic through the MX, only VPN or for b.b.b.b. I've tried creating static routes, but that hasn't worked. 

 

Thanks,

Chris

7 REPLIES 7
Meraki Employee

Re: Exit Hub for specific IP

@AnythingHosted If I'm tracking with what you're trying to get to, then this should be a fairly simple fix but depends on the AutoVPN posture of your DC MX84. If you go to Dashboard > Select your MX84 Network > Security appliance > Addressing & VLANs, are you running in NAT mode or concentrator? Both are supported AutoVPN roles for a DC deployment, but the way routes are injected into the AutoVPN table for remote MX peers is different.

 

Knowing if it's NAT mode or concentrator should help us guide you towards a solution.

Highlighted
Meraki Employee

Re: Exit Hub for specific IP

Assuming your DC MX84 is in NAT mode, then you would need to add a static route for b.b.b.b/32 on your MX84 appliance under Addressing & VLANs with a next hop of a router/switch connected to one of the local, internal subnets. Make sure you select "in VPN, yes". That will inject the route into the AutoVPN global route table and tell the MX64 peer to send all traffic destined for b.b.b.b tunneled to the MX84 first.

 

LLKXnL3BFk.gif

Getting noticed

Re: Exit Hub for specific IP

Hi @Dashboard_DJ

 

Many thanks for the detailed steps below. 

 

I've been able to add the route on the MX84 (the next hop I put as the local IP address of the MX84). However, on the route table screen it is highlighted red with no connectivity. Now also when I remote desktop to a local Windows client of the MX84, the IP for b.b.b.b is inaccessible. When I remove the static route, the Windows client can access b.b.b.b.

 

Have I chosen an incorrect Next Hop IP?

 

Thanks,

Chris

Meraki Employee

Re: Exit Hub for specific IP

The next hop IP should not be the MX84 IP address. It should be the IP address of the "next hop" towards your internal LAN. Essentially the IP address of the device you have the MX connected to on the LAN-side. Most likely a L3 switch interface or router.
Just browsing

Re: Exit Hub for specific IP

But Meraki does not allow you to put the external gateway as the next hop. It only lets you put IPs within your network.

Here to help

Re: Exit Hub for specific IP

With VPN hubs static routes on the "Addressing & VLAN's" page will route traffic out of a LAN side interface.

 

Static routes on the "Site to site VPN" page in the "local networks" section will route the traffic out of the WAN links on the hub.

Just browsing

Re: Exit Hub for specific IP

Owen. That is correct, but it does not provide a solution for the Op and myself. I had worked with Meraki support and they said this cannot be done with Meraki equipment and that I should "submit a wish"

I have tried for months to figure out a hack or workaround with no success. To the point where I may need to replace the Meraki firewalls to something that supports it.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.