Meraki

Community

MX64 Behind a checkpoint firewall

Robbo
New here
‎Oct 20 2017 4:34 AM
‎Oct 20 2017 4:34 AM

MX64 Behind a checkpoint firewall

Perhaps a silly question....I have 2 MX64 appliances. One on a remote site internet connection that plugs direct into an ADSL router that connects fine to the dashboard and reports no errors. The other is on our internal network.  The one on the internal network is connected to the lan by the internet socket and gets a local dhcp address. We have configured the firewall to allow this device to go out to the internet which it does and is NATed to an available unused address in our range. Although it can be seen on the dashboard I get a "Uplink IP address in conflict with another device" which is not correct as all address's are unused. The end result is for the internal meraki to be paired via VPN to the external site. Has anyone else had this issue? If so can I ask how you have overcome it?

 

Or are my assumptions correct looking in the uplink config it needs a Direct connection?

0 Kudos
6 Replies 6
Chris1775
Conversationalist
‎Oct 20 2017 4:40 AM
‎Oct 20 2017 4:40 AM

I had this exact issue. Same devices and everything. Our solution was to move the MX64 beside the CPFW. WAN1 was connected to our DMZ switch. I recall reading somewhere MX's do not like being behind another firewall. Once we changed that, it was night and day.  

0 Kudos
In response to Chris1775
Ryan-Zimmerle
Getting noticed
‎Oct 20 2017 11:49 AM
‎Oct 20 2017 11:49 AM

I would just echo the comments of @Chris1775, getting the MX out into a DMZ area will resolve the issues you are having.  

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 20 2017 12:12 PM
‎Oct 20 2017 12:12 PM

You will get this error if the MX sends an ARP response for its own IP address and something else responds.  This can happen if a device has proxy arp enabled.  Try disabling this in your upstream firewall.

0 Kudos
TV5000
Comes here often
‎Oct 23 2017 12:09 AM
‎Oct 23 2017 12:09 AM

CP needs proxy ARP configured. I always forget this one when creating  a new NAT.

0 Kudos
In response to TV5000
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 23 2017 12:13 AM
‎Oct 23 2017 12:13 AM

What if you don't use Nat? What about if you just use PAT like a normal Web browsing session?
0 Kudos
Bode
New here
‎Oct 25 2017 10:05 AM
‎Oct 25 2017 10:05 AM

We currently have an MX84 in our CoLo and it resides in our DMZ, this has allowed us to connect our 30ish remote locations to it to establish a VPN tunnel for internal networking. So as @Chris1775 has said, that would be your most viable solution. Out MX84 is set currently as our only HUB while the rest of the remote locations are set as spokes.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.