cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX64 Behind a checkpoint firewall

New here

MX64 Behind a checkpoint firewall

Perhaps a silly question....I have 2 MX64 appliances. One on a remote site internet connection that plugs direct into an ADSL router that connects fine to the dashboard and reports no errors. The other is on our internal network.  The one on the internal network is connected to the lan by the internet socket and gets a local dhcp address. We have configured the firewall to allow this device to go out to the internet which it does and is NATed to an available unused address in our range. Although it can be seen on the dashboard I get a "Uplink IP address in conflict with another device" which is not correct as all address's are unused. The end result is for the internal meraki to be paired via VPN to the external site. Has anyone else had this issue? If so can I ask how you have overcome it?

 

Or are my assumptions correct looking in the uplink config it needs a Direct connection?

6 REPLIES 6
Conversationalist

Re: MX64 Behind a checkpoint firewall

I had this exact issue. Same devices and everything. Our solution was to move the MX64 beside the CPFW. WAN1 was connected to our DMZ switch. I recall reading somewhere MX's do not like being behind another firewall. Once we changed that, it was night and day.  

Highlighted
Getting noticed

Re: MX64 Behind a checkpoint firewall

I would just echo the comments of @Chris1775, getting the MX out into a DMZ area will resolve the issues you are having.  

Kind of a big deal

Re: MX64 Behind a checkpoint firewall

You will get this error if the MX sends an ARP response for its own IP address and something else responds.  This can happen if a device has proxy arp enabled.  Try disabling this in your upstream firewall.

Comes here often

Re: MX64 Behind a checkpoint firewall

CP needs proxy ARP configured. I always forget this one when creating  a new NAT.

Kind of a big deal

Re: MX64 Behind a checkpoint firewall

What if you don't use Nat? What about if you just use PAT like a normal Web browsing session?
New here

Re: MX64 Behind a checkpoint firewall

We currently have an MX84 in our CoLo and it resides in our DMZ, this has allowed us to connect our 30ish remote locations to it to establish a VPN tunnel for internal networking. So as @Chris1775 has said, that would be your most viable solution. Out MX84 is set currently as our only HUB while the rest of the remote locations are set as spokes.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.