Meraki

Carlos1

Hello Team, I hope you can help me with the following question:

Our MX record is receiving a dynamic public IP address, meaning we don't have a static public IP address from our ISP. Speaking with the ISP, they have a CGNAT on their end.

I've been checking to see if the Meraki or AnyConnect VPN client works with a CGNAT. Has anyone configured it and had it work?

I've been researching this and it seems I need to open UDP ports 500/4500 for VPN traffic, but is there anything else I need to do?

PhilipDAth

If your MX is sitting behind a CGNAT connection, then it won't be possible to do a port forward.

However, you also mention you have a dynamic public IP address. Is this public IP address directly on your MX WAN interface, or does the WAN interface have a private IP address on it?

If it really is CGNAT:

You would need to look at a SASE option like Cisco SecureConnect (if you have fewer than, say, 75 users) or Cisco Secure Access (if you have more than 75 users).

With these options, your VPN terminates in Cisco's cloud and then connects back to your MX via AutoVPN.

If the public IP address really is on your MX, then you can use Cisco Secure Client/AnyConnect, and connect to the DDNS name assigned to your MX. It updates as the dynamic IP address changes.

Carlos1

I have a public IP address that appears in my MX record, but when I connect my WAN port to the ISP's router, I get an IP address in the 192.168.1.x/24 subnet.

Therefore, based on that, I shouldn't be able to use Meraki's secure client.

I'll run some tests to see how it goes.

Brash

That's weird that they're using an RFC 1918 IP Range for CG-NAT instead of the 100.64.0.0/10 range.

But as @PhilipDAth advised, if you're behind CG-NAT you cannot port forward.

KarstenI

Not sure about other countries, but in Germany, I see much more RFC1918 than 100.64/10 on the WAN side. They didn't really adapt to that range yet. But most are in the 10-network and not 192.168-network. And 192.168.1.x/24 is really quite unususal as it will too often overlap with the customers internal addresses.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Carlos1

My ISP does give me a public IP address, but I don't have a dedicated IP address for the WAN port. This is home internet. I've attached a screenshot of the MX server; the public IP address is dynamic.

What I was thinking of doing is using the DDNS resolution from the MX server to test with the VPN client.

alemabrahao

Either way, you would have to configure port forwarding on your ISP's modem to point it to the MX IP address.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI

The public IP is only the IP which is used to reach the internet. This can easily be behind a CGNAT. What is the device in front if your MX? Can you login to that device? If there is a public IP on the WAN and you can setup port forwarding rules, then Remote Access should work.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Carlos1

In front of me is my ISP's router, and underneath is my MX connected to its WAN port, but it's not giving me a public IP address. It's giving me a private IP address in the 192.168.1.x subnet.

I have access to the ISP's router and I've already set up port forwarding. I'm connecting through the Meraki VPN client, but I don't have access to the internal networks. I'm still investigating why.

Meraki

Community

MX - Client VPN Native Meraki or AnyConnect - CGNAT

MX - Client VPN Native Meraki or AnyConnect - CGNAT