MX64 Behind a checkpoint firewall

Robbo
New here

MX64 Behind a checkpoint firewall

Perhaps a silly question....I have 2 MX64 appliances. One on a remote site internet connection that plugs direct into an ADSL router that connects fine to the dashboard and reports no errors. The other is on our internal network.  The one on the internal network is connected to the lan by the internet socket and gets a local dhcp address. We have configured the firewall to allow this device to go out to the internet which it does and is NATed to an available unused address in our range. Although it can be seen on the dashboard I get a "Uplink IP address in conflict with another device" which is not correct as all address's are unused. The end result is for the internal meraki to be paired via VPN to the external site. Has anyone else had this issue? If so can I ask how you have overcome it?

 

Or are my assumptions correct looking in the uplink config it needs a Direct connection?

6 Replies 6
Chris1775
Conversationalist

I had this exact issue. Same devices and everything. Our solution was to move the MX64 beside the CPFW. WAN1 was connected to our DMZ switch. I recall reading somewhere MX's do not like being behind another firewall. Once we changed that, it was night and day.  

Ryan-Zimmerle
Getting noticed

I would just echo the comments of @Chris1775, getting the MX out into a DMZ area will resolve the issues you are having.  

PhilipDAth
Kind of a big deal
Kind of a big deal

You will get this error if the MX sends an ARP response for its own IP address and something else responds.  This can happen if a device has proxy arp enabled.  Try disabling this in your upstream firewall.

TV5000
Comes here often

CP needs proxy ARP configured. I always forget this one when creating  a new NAT.

PhilipDAth
Kind of a big deal
Kind of a big deal

What if you don't use Nat? What about if you just use PAT like a normal Web browsing session?
Bode
New here

We currently have an MX84 in our CoLo and it resides in our DMZ, this has allowed us to connect our 30ish remote locations to it to establish a VPN tunnel for internal networking. So as @Chris1775 has said, that would be your most viable solution. Out MX84 is set currently as our only HUB while the rest of the remote locations are set as spokes.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels