Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hub trying to connect to LTE private ip`s

Gillic01
Here to help
‎Nov 29 2021 6:33 AM
‎Nov 29 2021 6:33 AM

Hub trying to connect to LTE private ip`s

I have noticed my mx450`s are trying to create tunnels to LTE devices on Wan2 Private ip address, but we are denying   this  on our ASA. But don`t think this is a good idea to permit our MXHub to talk out to private ip`s

0 Kudos
Subscribe
4 Replies 4
Ryan_Miles
Meraki Employee
Meraki Employee
‎Nov 29 2021 10:49 AM
‎Nov 29 2021 10:49 AM

MXs register their interface IP (private) and NAT public IP with the VPN Registry. This allows for MXs to form a tunnel over a private WAN and if that's not available over the internet. I assume you're just seeing this process via firewall logs or packet captures.

0 Kudos
Subscribe
In response to Ryan_Miles
Gillic01
Here to help
‎Nov 29 2021 10:58 AM
‎Nov 29 2021 10:58 AM

Yes so we deny this Hub to talk out to those private ip addresses, if I did add an acl to allow it, how would it even know where that private ip is? 

0 Kudos
Subscribe
In response to Gillic01
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2021 11:38 AM
‎Nov 29 2021 11:38 AM

Being private IP addresses - wouldn't they be assigned from your team to the Telco to use?

If you know what block they are in then you could create a rule to allow that block.

 

The other thing is the MX450 is a firewall.  Is there any reason to block any traffic to or from this firewall?

Subscribe
In response to Ryan_Miles
Gillic01
Here to help
‎Nov 30 2021 8:05 AM
‎Nov 30 2021 8:05 AM

I think you are correct. Problem with that is CradlePoints with private ip on their inside, the MX Headend would never be able to connect to that outside of the tunnel which is what is happening, even if I allowed that traffic he wouldn`t know where to go. Checking with Support now, should be able to block this traffic maybe on the headend

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.