MX84 MPLS/Private WAN connection with NAT

JosefN
Here to help

MX84 MPLS/Private WAN connection with NAT

Hello,

 

We are trying to accomplish a scenario with a private connection/MPLS to a remote subnet where a server resides. However,  we have failed to make it work. The MPLS connection in the service provider network utilizes public ip addresses (but the network has no route to the internet).

 

 

Uplink 1:

Internet Connectivity

 

Uplink2 OR a VLAN interface:

MPLS/Private connection to a service provider network with public IP-addresses. In this network a server should be reachable for the clients.

 

Tested Methods:

 

Method 1# Configured the connection on UPLINK2 + added static route for the remote subnet.

We have tried to configure this WAN connection as second uplink. In this method we are unable to send any traffic or ping through the network. Our idea is that this is caused by MX behavior (the MX is unable to have an uplink without Internet access? ) according to this link https://community.meraki.com/t5/Security-SD-WAN/Flow-Preference-to-a-non-internet-WAN-port/td-p/5763...

 

Method 2# Configured the network on a new VLAN interface + added static route

Therefore we have also tried to configure the connection as a local subnet/VLAN interface and created a static route. In this scenario we are able to ping from the MX firewall to the remote server / network. The clients are however not able to ping the remote network. This is probably because we are unable to configure a NAT setting that allows traffic from LAN to the remote network to be NATed. 

 

The configuration is similar to this article Integrating an MPLS Connection on the MX LAN - Cisco Meraki , however, since the private connection utilizes public IP-adresses, we also need to apply NAT. Is this supported on a local subnet , if so how do we configure it?

 

 

 

Question:

  • Is the above scenario supported?
  • Can we disable the MX wan behavior that disables traffic on Uplink 2 if the MX can't ping the internet through the uplink?
  • If we utilize method 2 , how do we configure NAT on a local subnet (in other words for traffic not exiting through an uplink interface).

Meraki Scenario.JPG

10 REPLIES 10
UCcert
Kind of a big deal

hi @JosefN , without the connection to the internet this isn’t going to work. I believe there’s a closed ISP Beta which addresses this but that isn’t going to help you now.

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
UCcert
Kind of a big deal

“(the MX is unable to have an uplink without Internet access? ) according to this link“

 

- correct 

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

@UCcert 

 

Hmm ok. Do you know what IP the Meraki will need to be able to ping in order for this to work / consider the uplink "up"?

ww
Kind of a big deal
Kind of a big deal
ww
Kind of a big deal
Kind of a big deal

Cant the wan provider route back the subnet 172.16.0.0/24 to the mx84

JosefN
Here to help

Hi,

@ww 

 

No they cant. This is because the server is not the customers own, it's a third party service. Allowing private IP's would be messy then.

MilesMeraki
Head in the Cloud

Is your ISP the same as the MPLS provider? If so they might be able to re-route the traffic coming from the public IP of WAN 1 to your private IPVPN inside their MPLS network to be able to connect to the private server?

 

If not; Why do you not just acccess the Public server across the Internet? I assume you need this traffic to be private/encrypted?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@MilesMeraki 

 

Unfortunately not. I also checked with them if they can route internet traffic via the private connection, and that was not allowed.


It's unfortunately not a public server, it's a very secure finance server, it just happens to have a design with public ip (probably because many different customers need to access it and using a private ip design would probably cause issues with network conflicts).

Bummer. I'd reach out to support/your account manager to see if they can put you in touch with a SE to see if there is a feature available that can allow for NAT on LAN interfaces.
Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
JosefN
Here to help

Thanks everyone for you help.

 

We have now confirmed with the Sales Engineer that this scenario is not supported. There is an ISP beta, but we are unable to run a beta on this kind of production environment.

 

We'll investigate if IPSEC is an alternative , return the equipment or place an intermediate router to NAT between the LAN and CPE.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels