Hello,
We are trying to accomplish a scenario with a private connection/MPLS to a remote subnet where a server resides. However, we have failed to make it work. The MPLS connection in the service provider network utilizes public ip addresses (but the network has no route to the internet).
Uplink 1:
Internet Connectivity
Uplink2 OR a VLAN interface:
MPLS/Private connection to a service provider network with public IP-addresses. In this network a server should be reachable for the clients.
Tested Methods:
Method 1# Configured the connection on UPLINK2 + added static route for the remote subnet.
We have tried to configure this WAN connection as second uplink. In this method we are unable to send any traffic or ping through the network. Our idea is that this is caused by MX behavior (the MX is unable to have an uplink without Internet access? ) according to this link https://community.meraki.com/t5/Security-SD-WAN/Flow-Preference-to-a-non-internet-WAN-port/td-p/5763...
Method 2# Configured the network on a new VLAN interface + added static route
Therefore we have also tried to configure the connection as a local subnet/VLAN interface and created a static route. In this scenario we are able to ping from the MX firewall to the remote server / network. The clients are however not able to ping the remote network. This is probably because we are unable to configure a NAT setting that allows traffic from LAN to the remote network to be NATed.
The configuration is similar to this article Integrating an MPLS Connection on the MX LAN - Cisco Meraki , however, since the private connection utilizes public IP-adresses, we also need to apply NAT. Is this supported on a local subnet , if so how do we configure it?
Question:
hi @JosefN , without the connection to the internet this isn’t going to work. I believe there’s a closed ISP Beta which addresses this but that isn’t going to help you now.
“(the MX is unable to have an uplink without Internet access? ) according to this link“
- correct
Hmm ok. Do you know what IP the Meraki will need to be able to ping in order for this to work / consider the uplink "up"?
Cant the wan provider route back the subnet 172.16.0.0/24 to the mx84
Hi,
No they cant. This is because the server is not the customers own, it's a third party service. Allowing private IP's would be messy then.
Is your ISP the same as the MPLS provider? If so they might be able to re-route the traffic coming from the public IP of WAN 1 to your private IPVPN inside their MPLS network to be able to connect to the private server?
If not; Why do you not just acccess the Public server across the Internet? I assume you need this traffic to be private/encrypted?
Unfortunately not. I also checked with them if they can route internet traffic via the private connection, and that was not allowed.
It's unfortunately not a public server, it's a very secure finance server, it just happens to have a design with public ip (probably because many different customers need to access it and using a private ip design would probably cause issues with network conflicts).
Thanks everyone for you help.
We have now confirmed with the Sales Engineer that this scenario is not supported. There is an ISP beta, but we are unable to run a beta on this kind of production environment.
We'll investigate if IPSEC is an alternative , return the equipment or place an intermediate router to NAT between the LAN and CPE.