Meraki

Community

MPLS through internet port on MX67

nikmagashi
Getting noticed
‎Apr 24 2023 11:27 AM
‎Apr 24 2023 11:27 AM

MPLS through internet port on MX67

Hi,

 

We have an mpls line from HQ to a branch office. We had on both sites fortigates and worked good. On the branch office we replaced the fortigate with a MX67 and now we are having problems with the traffic that comes from the HQ to the branch office. The mpls line terminates in internet port in the MX67. So all the trafic from the MX is sent through the mpls to the HQ firewall. We can ping the networks on the HQ from the MX67 internal vlans, but doing it from the HQ to the branch offices MX the ping never respond back. I know it might have something with the NAT on the internet port on the MX but I need to be sure if someone has had the same issue. 

 

When I look at the route table I see a default route 0.0.0.0/0 through the wan interface. It worth mentioning that I have not created any static route on the MX!

 

BR 

Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 24 2023 11:45 AM
‎Apr 24 2023 11:45 AM

Have you checked this document?

 

https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LA...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Apr 24 2023 12:20 PM
‎Apr 24 2023 12:20 PM

Put the HQ MX in single ended concentrator mode and connect the MPLS via a L3 switch at HQ.  On the L3 switch have a default gateway to enterprise edge firewalls.

 

Works well unless you are trying to use the same MX to terminate MPLS and internet at HQ...

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
nikmagashi
Getting noticed
‎Apr 25 2023 12:43 AM
‎Apr 25 2023 12:43 AM

We have a fortigate on the HQ and MX67 on the branch office. I called today meraki support and they helped me with this problem. They activated the NAT feature where I could later choose to disable the NAT on the internet port on meraki or even on the specific vlan if I want to. Of course this should be taken with precaution since the inbound rules are in allow state now but we do have a firewall on the HQ which controll everything. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.