External Port forward to VLAN on MX68

Solved
Memonic
Here to help

External Port forward to VLAN on MX68

Hey Meraki Community,

I have some problems with external port forwarding to VLAN that seems not to be working.
I have a web server running on a VLAN 5, It’s on a ESXi 7server connected direct to a MX68, connected to the internet  with cabel ADSL and cell connection. The port is configured as a trunk, as is the ESXi, and the managed ESXi network is VLAN1.
My internal client is on VLAN 13 and has NAT to 1, 5 and internet.

Port forward to webserver:80 and 443
All traffic internal is working, but I can not see my web from outside. The packet capture does not give any hit.
Any suggestions?

 

1 Accepted Solution
Memonic
Here to help

Well… It turns out that my ISP provider did change some settings when the added the static IP address, that conflicted with my MX. The error was that the modem was replying to some requests, ICMP was one, so after some (many) hours of frustrations, I could count the MX out of the source of problem.

The bad thing is now the ISP are not sure why my modem in transparent mode isn’t transparent…

Thanks for your effort in helping, it gave me the fresh eyes I needed… Now I hope they can fix the modem…

View solution in original post

10 Replies 10
Memonic
Here to help

Ohh and I have a Z3 VPN connected and those clients can also see the web..

KarstenI
Kind of a big deal
Kind of a big deal

What do you mean with packet capture not showing any hint. Do you see the traffic entering the MX on the internet port?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Memonic
Here to help

Yes, but only for the VPN, seems the MX ignores 80 and 443 from external to the web-server ip.

KarstenI
Kind of a big deal
Kind of a big deal

What kind of device do you have in front of the MX? Perhaps something is filtered there. Because TCP 80/443 for sure can be forwarded.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Memonic
Here to help

It's a Sagemcom fast 3890V3 modem in bridge mode.

KarstenI
Kind of a big deal
Kind of a big deal

Is this a modem that you use with PPPoE? At least my MX with v15 behaves a little bit strange. The first capture on the internet port has to be done with the filter "pppoes and ip" to see any result. After that, the capture works normally.

 

Can you ping the MX interface (make sure it is enabled on the firewall page) and can you see that ping in the packet capture?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Memonic
Here to help

Yes it's a DSL modem.
Fun part is that the VPN connection is established without any delays, issues or anything, and both through the VPN or internal the access to the server is working fine.
My MX has just been updated to version MX 14.53, stated at the last one.
I’ll verify the ping later, but as I remember it reply on enabling but cant remember if it is in the capture

PhilipDAth
Kind of a big deal
Kind of a big deal

Does your MX have a public IP address on its WAN interface?

Memonic
Here to help

Yes it has one static for the WAN 1 and one dynamic for the cellular link

Memonic
Here to help

Well… It turns out that my ISP provider did change some settings when the added the static IP address, that conflicted with my MX. The error was that the modem was replying to some requests, ICMP was one, so after some (many) hours of frustrations, I could count the MX out of the source of problem.

The bad thing is now the ISP are not sure why my modem in transparent mode isn’t transparent…

Thanks for your effort in helping, it gave me the fresh eyes I needed… Now I hope they can fix the modem…

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels