Ok, let's kick off my first request on the community. We have an MX250 with 2 providers.
Provider X gave us the following information.
GATEWAY : 192.168.99.1
We have a somewhat similar configuration and the internal IPs being used on the WAN interface should still work. It is somewhat similar to plugging in a DSL modem on the WAN port. If it isn't in bypass mode the MX gets a 192.168.x.x address and the gateway is the DSL modem 192.168.x.1.
Some data points:
You've said you connected the circuit directly to your laptop with the same 192.168.99.2 and .1 configuration and it worked? Are you using an identical configuration on the MX including DNS? Are you configuring the MX from the local configuration page and not the dashboard? I only ask because until the MX checks in it won't get any configuration changes.
The MX will only NAT outbound clients to the IP address configured on its WAN interface. So to make this work, the provider must NAT 192.168.99.2 for you into some public IP address space.
Personally I would insist of a public IP address stub between your MX and them. Also I don't believe the MX will support a /31 stub, so it needs to be a /30.
@Adam with my laptop I can reach the .1 but I can't get any further than that.
IP configuration on the MX it's uplink is the same as it was in the laptop
The MX is online with WAN2, but I always configure this through the local page in case it goes offline.
@PhilipDAth Ok, this is exactly what I thought.. I'll get back in touch with the provider to figure this out.
His quick Google skills made him email me to use 1:1 nat..
I'm not sure if they are willing to change their /31 into a /30.
This is a ping from the provider his side towards the MX250. Pings are responding and OK
But the other way arround it does not work.
1921_rtr1_access_AJD#ping vrf VO-ISP 192.168.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
c1921_rtr1_access_AJD#ping vrf VO-ISP 192.168.99.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
c1921_rtr1_access_AJD#sh arp vrf VO-ISP
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.99.1 - 881d.fc17.9da1 ARPA GigabitEthernet0/1
Internet 192.168.99.2 0 e0cb.bc07.8c72 ARPA GigabitEthernet0/1
*Update*
It seems as if the 1:many nat rules are working.
I can reach internal websites and RDP sessions on the public addresses.
Is There any way to outbound NAT on Meraki?
Packets are getting the 192.168.99.2 address which makes sense because the mx only has inbound nat rules.
Any ideas? Support is not really catching on and asked me to make sure the provider could allow icmp and dns...
Cheers,
Ben
Meraki can only NAT outbound requests to the IP address on the WAN interface.
I was affraid of this..
Thinking outside of the box. Any suggestions?
I read here on the community that someone has put a L3 switch in between?