MX100 External Address Range

Solved
Q313
Here to help

MX100 External Address Range

Hi team,

 

    I need to setup a site-to-site VPN tunnel and I cannot find/figure out how to use one of my external ip addresses.  I have 6 addresses with which to use, but don't see how to accomplish this with the Meraki MX100. 

 

In contrast, I can succesffully use 1:1 Nat to utilize an external IP for a device on my LAN.

 

Ive checked a few posts and they are related to the above type of configuration.

 

An older post stated this is not possible (no agreed to or denied the claim however).

 

Any input on external ip ranges and site to site VPN?

 

Much appreciated 🙂

 

 

Any advice?

1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

@Q313 from the document linked to by @DarrenOC :

 

Public IP - The public IP address from which the remote MX can be contacted. This can be found on the remote MX in Dashboard under Security & SD-WAN > Monitor > Appliance status > Uplink > Configuration > General > Public IP:

 

i.e. you can only build a tunnel to the device interface IP, not one of the other public IP addresses in the public range you have on the WAN port.  If you have two ISPs you can build a tunnel to either WAN port IP address.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @Q313 , this should help

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
BrechtSchamp
Kind of a big deal

I'm not sure I understand the question. But in the case of two uplinks the MX should build tunnels over both uplinks automatically (unless NAT traversal doesn't work and you're using manual NAT forwarding).

 

If you're talking about a situation where there's a provider router in front of your MX and it's a NATed setup, it's up to that device to NAT the correct address.

 

This whitepaper goes quite deep into how the AutoVPN works:

https://meraki.cisco.com/wp-content/uploads/2020/05/meraki_whitepaper_autovpn.pdf

 

This article also mentions the fact that tunnels are built over both uplinks:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Failover_Behavior

cmr
Kind of a big deal
Kind of a big deal

@Q313 from the document linked to by @DarrenOC :

 

Public IP - The public IP address from which the remote MX can be contacted. This can be found on the remote MX in Dashboard under Security & SD-WAN > Monitor > Appliance status > Uplink > Configuration > General > Public IP:

 

i.e. you can only build a tunnel to the device interface IP, not one of the other public IP addresses in the public range you have on the WAN port.  If you have two ISPs you can build a tunnel to either WAN port IP address.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Q313
Here to help

Thank you very much. 

 

Sounds like despite the range of IP addresses I own, I can only use one IP via the Meraki uplink (or use a second uplink for a second address).

 

 

 

cmr
Kind of a big deal
Kind of a big deal

@Q313 if you have internal services that you want to publish externally you can use 1:1 NAT to map the internal servers to a unique external address.  You just cannot do this for VPN connections or subnets.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
WillN
Getting noticed

Might need a bit of clarity on this question.

When you say Site-to-site VPN, do you mean Meraki MX VPN services, or a device that sits behind the Meraki MX in a LAN port that is the source of the VPN connecting to another site OVER the Meraki MX?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels