Meraki

Community

MX250 Public IP to Private on WAN

Ben
A model citizen
‎Jul 12 2018 8:45 AM
‎Jul 12 2018 8:45 AM

MX250 Public IP to Private on WAN

Ok, let's kick off my first request on the community. We have an MX250 with 2 providers. 

Provider X gave us the following information. 

 

IP (STATIC) : 192.168.99.2

GATEWAY : 192.168.99.1

DNS: we don't provide DNS use Google. 
Their are 2 public ip's beeing routed to our MX. (180.60.75.80/31) (so 80 and 81) 

 

 
Now for some reason they can ping our WAN side but the MX is not picking up internet connectivity over this WAN interface. 
The previous FW was a watchguard. They had the same configuration on their WAN except that they could define secondary IP's on their WAN interface. 
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/networksetup/second_net_config_...
 
I do not see any other possibility apart from the 1:many NAT but this does not work.. 
Provider did a quick google search and told me to use 1:1 NAT but i tried a few things but the WAN interface status is still Failed. 
I cannot ping the 192.168.99.1 from my MX but if I put my laptop behind it in the same configuration I can reach the 192.168.99.1. 
 
Any thoughts? 
 
Thanks!
Ben
0 Kudos
6 Replies 6
Adam
Kind of a big deal
‎Jul 12 2018 10:52 AM
‎Jul 12 2018 10:52 AM

We have a somewhat similar configuration and the internal IPs being used on the WAN interface should still work.  It is somewhat similar to plugging in a DSL modem on the WAN port.  If it isn't in bypass mode the MX gets a 192.168.x.x address and the gateway is the DSL modem 192.168.x.1.

 

Some data points:

You've said you connected the circuit directly to your laptop with the same 192.168.99.2 and .1 configuration and it worked?  Are you using an identical configuration on the MX including DNS?  Are you configuring the MX from the local configuration page and not the dashboard?  I only ask because until the MX checks in it won't get any configuration changes.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 12 2018 2:02 PM
‎Jul 12 2018 2:02 PM

The MX will only NAT outbound clients to the IP address configured on its WAN interface.  So to make this work, the provider must NAT 192.168.99.2 for you into some public IP address space.

 

Personally I would insist of a public IP address stub between your MX and them.  Also I don't believe the MX will support a /31 stub, so it needs to be a /30.

0 Kudos
In response to PhilipDAth
Ben
A model citizen
‎Jul 13 2018 1:19 AM
‎Jul 13 2018 1:19 AM

@Adam  with my laptop I can reach the .1 but I can't get any further than that. 

IP configuration on the MX it's uplink is the same as it was in the laptop

 

The MX is online with WAN2, but I always configure this through the local page in case it goes offline.

 

@PhilipDAth Ok, this is exactly what I thought.. I'll get back in touch with the provider to figure this out.

His quick Google skills made him email me to use 1:1 nat..

 

I'm not sure if they are willing to change their /31 into a /30.

This is a ping from the provider his side towards the MX250. Pings are responding and OK

But the other way arround it does not work. 

1921_rtr1_access_AJD#ping vrf VO-ISP 192.168.99.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.99.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

c1921_rtr1_access_AJD#ping vrf VO-ISP 192.168.99.2
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.99.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
c1921_rtr1_access_AJD#sh arp vrf VO-ISP

Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.99.1 - 881d.fc17.9da1 ARPA GigabitEthernet0/1
Internet 192.168.99.2 0 e0cb.bc07.8c72 ARPA GigabitEthernet0/1

 

 

0 Kudos
In response to Ben
Ben
A model citizen
‎Jul 16 2018 12:57 PM
‎Jul 16 2018 12:57 PM

*Update*

It seems as if the 1:many nat rules are working.

I can reach internal websites and RDP sessions on the public addresses.

 

Is There any way to outbound NAT on Meraki?

Packets are getting the 192.168.99.2 address which makes sense because the mx only has inbound nat rules.

 

Any ideas? Support is not really catching on and asked me to make sure the provider could allow icmp and dns... 

 

Cheers,

Ben

0 Kudos
In response to Ben
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 16 2018 1:08 PM
‎Jul 16 2018 1:08 PM

Meraki can only NAT outbound requests to the IP address on the WAN interface.

0 Kudos
In response to PhilipDAth
Ben
A model citizen
‎Jul 16 2018 1:26 PM
‎Jul 16 2018 1:26 PM

I was affraid of this.. 

Thinking outside of the box. Any suggestions?

I read here on the community that someone has put a L3 switch in between? 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.