Meraki

Community

MS85 as Just a Router

Solved
GFrazier
Building a reputation
‎May 9 2023 11:16 AM
‎May 9 2023 11:16 AM

MS85 as Just a Router

Have a client who wants to continue using their ASA 5516, but purchased a MX85 as their router for their new Comcast Circuit. They have multiple static Public IPs for their on-prem servers. The Gateway and Public IP is set correctly in the MX85 and we got connectivity...
 
I set a Single LAN of their usable Public IP Block 50.x.x.x /29, set the MX IP 50.x.x.254.  They assigned their ASA 5516 one of the usable Public IPs 50.x.x.253. We can get traffic from inside the network, however, cannot get to the public IPs from outside the network. 
 
It slipped my mind to set the 1:1 NATs, so I had to change the routing configurations for Single VLAN to Multiple VLANs and add their local lan IP block 192.x.x.x /24. Their LAN gateway is 192.x.x.1 - I did not know how it would affect the routing if I added that same gateway IP for the MX IP in the VLAN configurations, so I just added 192.x.x.254… Because they are not using the MX 85 for DHCP, I did not enable it, however, it now allows me to successfully add the 1:1 NATs using the Public and Local IPs for the servers. I have not tested this yet - I won't be working on this until tomorrow.
 
I would like to know if anyone has had this setup before and if so, were you able to setup the configuration so that you could ping directly through to the Public IPs.

++++++

A quick overview of my settings:

MX85 WAN 1
Gateway: 50.x.x.x (Comcast Gateway IP)
Public: 50.x.x.x (Comcast Assigned Router Public IP)
Subnet: 255.255.255.252 (Comcast Assigned Subnet)

MX85 VLANS
1 - 50.x.x.x /29, MX IP: 50.x.x.254 (Comcast Assigned IP Block)
2 - 192.x.x.x /24 (Company's Internal IP Block)
Note: Uplink Trunk Port to Firewall is set to allow All VLANS

MX 85 Forwarding Rules (Just Added)
1:1 NAT to Mail Server
Public IP: 50.x.x.x
LAN IP: 192.x.x.x
Protocol TCP, ICMP ping
Ports xx
Remote IPs Any

1:1 NAT to "Other" Server (Just Added)
Public IP: 50.x.x.x
LAN IP: 192.x.x.x
Protocol TCP, ICMP ping
Ports xx
Remote IPs Any

MX85 DHCP: NOT CONFIGURED

ASA 5516
Public IP: 50.x.x.253
Gateway IP: 50.x.x.254

++++++

FYI:
We are unable to add IP4 inbound firewall rules.

The IT Team managing the firewall could not remote in on port 22...We had to create a port forward to the 50.x.x.253 and they had to use the MX85 Public IP to get in, however still cannot ping through to the IP.

0 Kudos
1 Accepted Solution
In response to alemabrahao
GFrazier
Building a reputation
‎May 13 2023 4:55 PM
‎May 13 2023 4:55 PM

With the 50.x.x.196 /30 IP Block:  50.x.x.197 as gateway and 50.x.x.198 as MX IP, the "VISIBLE" IP will always be the ...198... The 50.x.x.248 /29 Usable IPs will never be visible through the MX85 with this particular IP setup.   The only way we can get through is Port Forwarding, which means all the services they now have that point to separate Public IPs will need to point to the one 50.x.x.98 - they don't want that; they want their Usable IPs to be visible... So basically, we will just use the MX85 to replace the ASA 5616 and get a more basic router.

View solution in original post

0 Kudos
8 Replies 8
GFrazier
Building a reputation
‎May 9 2023 11:20 AM
‎May 9 2023 11:20 AM

A better list of the current settings:

 

MX85 WAN 1
Gateway: 50.x.x.x (Comcast Gateway IP)
Public: 50.x.x.x (Comcast Assigned Router Public IP)
Subnet: 255.255.255.252 (Comcast Assigned Subnet)

 

MX85 VLANS
1 - 50.x.x.x /29, MX IP: 50.x.x.254 (Comcast Assigned IP Block)
2 - 192.x.x.x /24 (Company's Internal IP Block)
Note: Uplink Trunk Port to Firewall is set to allow All VLANS

 

MX 85 Forwarding Rules (Just Added)
1:1 NAT to Mail Server
Public IP: 50.x.x.x
LAN IP: 192.x.x.x
Protocol TCP, ICMP ping
Ports xx
Remote IPs Any

 

1:1 NAT to "Other" Server (Just Added)
Public IP: 50.x.x.x
LAN IP: 192.x.x.x
Protocol TCP, ICMP ping
Ports xx
Remote IPs Any

 

MX85 DHCP: NOT CONFIGURED

 

ASA 5516
Public IP: 50.x.x.253
Gateway IP: 50.x.x.254

++++++

0 Kudos
In response to GFrazier
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2023 11:53 AM
‎May 9 2023 11:53 AM

Why did you create a vlan in the same range as your public IP?
 
the public IP on the MX is only used for the WAN.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
GFrazier
Building a reputation
‎May 9 2023 1:09 PM
‎May 9 2023 1:09 PM

The Public IP for the MX is in a different Subnet /30... I should have specified that... The IP is 50.x.x.196 /30... So the Public IP for the MX is 50.x.x.198, and the Comcast Gateway is 50.x.x.197...

 

The Usable Static IPs are 50.x.x.248 /29 (6 usable IPs)... I had to initially add the 50.x.x.248/29 in order to assign the gateway (50.x.x.254) for the ASA on the inside, who has the IP of 50.x.x.253.

0 Kudos
In response to alemabrahao
GFrazier
Building a reputation
‎May 9 2023 1:12 PM
‎May 9 2023 1:12 PM

In response to my last reply:  Or should I have not configured a LAN at all?

0 Kudos
In response to alemabrahao
GFrazier
Building a reputation
‎May 9 2023 1:16 PM
‎May 9 2023 1:16 PM

Should I have just not configured a lan and left it to the default route 0.0.0.0? That would have allowed for all traffic to flow to any of the public IPs on the other side.  Correct?

0 Kudos
In response to GFrazier
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2023 5:25 PM
‎May 9 2023 5:25 PM

To be honest, I think you're overcomplicating the topology. In its place I would create a link network between the MX and the ASA and work with static routes.

 

To be more honest I still don't understand your idea, if it had a topology everything would be clearer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
GFrazier
Building a reputation
‎May 10 2023 8:42 PM
‎May 10 2023 8:42 PM

Good Evening... Working on a few hrs of sleep can have you overlooking a lot... After looking over the IPs earlier this morning, I realized that  - yes - I am actually using the same IP range (so to speak)... Comcast gave the client a 50.x.x.196 /30 to use - ...197 gateway and ...198 MX IP, and in addition gave the client the usable IPs on 50.x.x.248 /29.. No way we would have ever setup 1:1 NAT with that, especially with the client's IT team wanting to use an ASA behind the MX... I noticed that they opted out of the Advantec router all together for that Comcast rents out, so basically they need a simple router.

 

BTW, the topology is Comcast Gateway > Comcast Ciena > MX85 > ASA 5611 > Servers

0 Kudos
In response to alemabrahao
GFrazier
Building a reputation
‎May 13 2023 4:55 PM
‎May 13 2023 4:55 PM

With the 50.x.x.196 /30 IP Block:  50.x.x.197 as gateway and 50.x.x.198 as MX IP, the "VISIBLE" IP will always be the ...198... The 50.x.x.248 /29 Usable IPs will never be visible through the MX85 with this particular IP setup.   The only way we can get through is Port Forwarding, which means all the services they now have that point to separate Public IPs will need to point to the one 50.x.x.98 - they don't want that; they want their Usable IPs to be visible... So basically, we will just use the MX85 to replace the ASA 5616 and get a more basic router.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.