MX68 and OpenVPN Traffic

Solved
eroy
Just browsing

MX68 and OpenVPN Traffic

I have a network that has a 3rd party Recorder that needs to communicate back to their network monitoring appliance. They use OpenVPN to establish this connection.

 

I have setup a 1:1 NAT that allows port 1194 to the internal Servers IP address. I also have outbound rules that Allow from Any protocol/source to Any Destination/port.

 

I can see traffic passing from the internal LAN to the WAN out to the remote IP address of the Monitoring Appliance. However the connection is not being made for some reason.

 

Here is a screen shot of the LAN packet capture.

pcap on LANpcap on LAN

 

I had been directed to another post that had similar issue here, but adding the static route made no difference.

 

I have also disabled threat protection, AMP and IDP and have no URL filtering active.

 

Is there some setting that I am missing that explicitly allows OpenVPN traffic? 

 

Thank you for any assistance.

 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried this?

alemabrahao_0-1667316757682.png

 

If you don't have any rule blocking Inbound and outbound, probably It's not an MX issue.

 

For me, It does not make sense, but you can try to create a Bonjour forwarding rule.

 

alemabrahao_1-1667316889501.png

 

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

I didn't understand, is this communication via VPN or via public IP?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
eroy
Just browsing

It is going over the public IP. The Meraki MX should just be passing the traffic through.

alemabrahao
Kind of a big deal
Kind of a big deal

If it is via public IP what is the role of OpenVPN? It's a little confusing.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

By the way, have you tried to allow any port on your 1:1 NAT? Just for a test.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
eroy
Just browsing

I tried an any port for their remote IP. I will re-test with an any from any remote IPs just to make sure.

eroy
Just browsing

The Recording Server that is on the internal network (192.168.1.100) it needs to communicate to their IIC Network Monitoring Appliance which they state is using OpenVPN.

 

The reason I mention OpenVPN is that the vendor believes that adaptive portion of the firewall is blocking the traffic and is asking about allowing OpenVPN traffic.

 

Which I assume I have done by allowing the NAT 1:1 for Port 1194 and also by adding an any protocol/port for their IP address.

 

alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried this?

alemabrahao_0-1667316757682.png

 

If you don't have any rule blocking Inbound and outbound, probably It's not an MX issue.

 

For me, It does not make sense, but you can try to create a Bonjour forwarding rule.

 

alemabrahao_1-1667316889501.png

 

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
eroy
Just browsing

I'll mark this as the accepted solution as it was not a MX issue. Thank you for your help.

KeenLogic
Here to help

What was the issue then?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels