Meraki

soundman353 · ‎Jul 6 2018

Hello All,

I have a Meraki MX100 behind a Cisco ISR4331 and I cannot figure out how to get the Client VPN to work.

The router has a non-routable IP for the WAN side, I have /29 of public IP's. I have the subnet advertised by BGP on the router. I have a private routable for the LAN side of the router and WAN side of the MX100. The first IP address of the public block is NAT'ed to the MX100. I have the rest of the IP's NAT'ed on the MX100 to the network behind it.

Internet --- ISR4331 --- MX100 --- MS250

Although I haven't tested yet I am guess that Point-to-Point VPN's will not work either.

If someone would point me in the right direction I would be most appreciative.

PhilipDAth · ‎Jul 6 2018

You are better to move your routable IP block so it is between the 4331 and the MX100.

Failing that, if you are using client VPN to the MX100 you need to make sure udp/500 and udp/4500 are NATed through to the MX100 WAN interface IP address.

You wont be able to directly NAT on the ISR4331 to IP addresses behind the MX100. You will need to NAT (on the ISR4331) to an IP address that is between in the ISR4331 and the MX100, and then NAT again (on the MX100) from that IP address to the final internal IP address.

However like I say, it is a million times simpler if you can just put the public IP address block between the ISR4331 and the MX100.

soundman353 · ‎Jul 6 2018

So my 4331 LAN IP one of the /29? I thought of doing that but don't really want to bleed IP's.

I tried forwarding the UDP ports through the NAT, but it didn't work. The configuration I tried is below.

ip nat inside source static udp 10.1.1.2 500 X.X.X.X 500

ip nat inside source static udp 10.1.1.2 4500 X.X.X.X 4500

PhilipDAth · ‎Jul 6 2018

Yes, so your ISR4331 would have one of the /29 IP addresses.

Try forwarding ESP (which is an IP protocol) as well otherwise.

Meraki

Community

MX100 Behind ISR4331

MX100 Behind ISR4331