Meraki

Community

MX to 3rd party firewall VPN

leigh161
New here
‎Nov 1 2022 4:42 AM
‎Nov 1 2022 4:42 AM

MX to 3rd party firewall VPN

Hi, I have a client that has configured a site to site VPN between a MX 95 and some 3rd party firewall. Everything is working from site to site EXCEPT the sync between a pair of Microsoft AD servers, one at each site. 

 

Nothing apart from the VPN authentication settings has changed on the remote site. On the Meraki side the MX device "seems" to , by default have everything open and you add rules to close stuff out. Any idea as to why then, the ports for AD are not getting across??

 

Thanks a million,

 

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 1 2022 4:45 AM
‎Nov 1 2022 4:45 AM

Meraki has implemented some security features, take a look at the article below.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Device_to_Clou...

 

alemabrahao_0-1667303097813.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 1 2022 4:51 AM
‎Nov 1 2022 4:51 AM

Is the communication between the servers working? ICMP for example.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
leigh161
New here
‎Nov 1 2022 5:54 AM
‎Nov 1 2022 5:54 AM

Hi there,

 Thanks for the reply, yes it is - i got them to ping from one to the other using the server IP as source and it worked fine. Just issues with AD not syncing

L

0 Kudos
In response to leigh161
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 1 2022 5:58 AM
‎Nov 1 2022 5:58 AM

If you don't have any blocking rules in MX my only suggestion is to check if the other side may have any blocking rules.

Otherwise, I suggest opening a case with support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 1 2022 5:00 AM
‎Nov 1 2022 5:00 AM

You are right that by default all inbound traffic is allowed (which is the largest drawback of Meraki in my mind. If you want to make sure that your business-partners can't access just everything, you need a different device which is typically an additional ASA in my case).

You don't say anything about your setup so this is only a wild guess, but it is very often overlooked:

You are using IKEv2 and you have multiple subnets configured. The first established subnets work, but your AD controller is on the additional subnet which is not working. This would be an additional drawback of the Meraki MX as this is quite often incompatible to other vendors:

https://documentation.meraki.com/MX/Site-to-site_VPN/IKEv1_and_IKEv2_for_non-Meraki_VPN_Peers_Compar...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.