Public IPs not Pingable!

khurram
Here to help

Public IPs not Pingable!

I have /28 Public IP pool and set my security appliance in NAT mode and given rest of the public IP addresses to my client through MS 220, 350 & 425. Clients are complaining that they can't ping and access public IPs from other ISPs.

 

Kindly help me to fix this issue.

 

Regards

Khurram Shahzad

25 REPLIES 25
MerakiDave
Meraki Employee
Meraki Employee

I would suggest opening a case with Meraki Support for configuration assistance.  Not sure if I understood your exact design requirement, but sounds like may want to configure the MX in NAT mode as an Internet-facing firewall and then have a DMZ VLAN configured with public-facing machines like a web server perhaps, along with internal VLAN(s) and some 1:1 NAT rules.  Perhaps this Support doc might be useful.  https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Securi... But I'd suggest opening a case with Support and include a network diagram with your addressing and describe the pings that are failing to you public IPs.  If applicable, also check out the separate support docs on 1:1 NAT and port forwarding. https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT and https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M... Hope that helps!  

PhilipDAth
Kind of a big deal
Kind of a big deal

Is your security appliance doing DHCP and giving your clients private IP addresses (which will then be NATed)?

Yes my security appliance is assigning Private IP addresses to my client through DHCP but I have assigned Public IPs to some customers through that internet works fine but they cannot ping Public IP from other ISPs.

Adam
Kind of a big deal

Security Appliance > Firewall

 

When you setup the Public IP to LAN IP NAT you have to set the allowed inbound connections rule to:

Protocol: ICMP

Remote IPs: Any or a subnet if you want to be more specific on who can ping. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Dear I am not assigning Private IPs to my client. I am assigning them public IPs.

Adam
Kind of a big deal

Ah so you are having issues pinging out?  Any difference if you ping the IP directly vs name to make sure it isn't a DNS issue?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Internet is working fine customer can ping any website from his system but whenever he tries to access his router can't access or ping from other ISPs.

I have putted my case in cisco meraki but they are not providing me any solution even not bothering to reply on my emails. Kindly suggest the solution as I am losing my clients.

PhilipDAth
Kind of a big deal
Kind of a big deal

Like @Adam, I can not clearly understand your configuration which is making it very hard to help you.  Lets get specific.

 

Please answer these questions:

 

  1. The outside public IP address of the MX is:
  2. The internal IP address of a client is:
  3. The public IP address you are using for NAT to the above client is:

For the ping that does not work;

  1. The ping is being done from a machine with the IP address:
  2. The IP address being ping'ed is:

Kindly see the topology diagram below and 5.5.5.0 is Public IP subnet.Meraki Diagram.jpg

Adam
Kind of a big deal

Thank you for the diagram.  Now give me an example of which of one of the devices depicted cannot get to what kind of destination?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message.
Adam
Kind of a big deal

"whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message."

 

So you mean if some external source tries to ping the 5.5.5.3 client they get request timed out or no replies?

 

If you are wanting publicly accessible IPs on your private clients I think you'd want to do either of the following.

1.  Set the MX to passthrough mode

2. Keep the MX set to NAT mode and give your internal client machines some internal DHCP range of static IP's.  For example if PC-PT had an internal static IP of 10.0.0.3.  Then go to Security Appliance>Firewall and setup your 1:1 NATs and with selective "allowed inbound connection" firewall rules.  Here would be a screenshot example.

nat.PNG

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MRCUR
Kind of a big deal

Agreed with @Adam suggestion. It sounds like the MX is running in NAT mode and doing exactly what it should be doing. 

MRCUR | CMNO #12

If I set MX in Pass Through Mode should I still manage to apply layer 7 Policy?

Kindly reply if we set the MX in pass-through-mode do we still apply policies?


@khurram wrote:

If I set MX in Pass Through Mode should I still manage to apply layer 7 Policy.


 

MRCUR
Kind of a big deal

PaulRusso
Conversationalist

It looks like the policies should be applied in passthrough mode. It would be worth a try; however, I would recommend creating DMZs and NATting to private IPs to allow for more firewall rules to be managed more easily.

 

"An MX/Z1 in passthrough mode can be configured to perform a number of functions like when in NAT mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed:"

 

https://documentation.meraki.com/MX-Z/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Appli...

You have some E Plus numbers there?
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

what is E Plus numbers?

E-Plus used to be a German mobile network operator, they were merged with the Telefonica subsidiary O2 Deutschland. The IP numbers you have indicated are original E-Plus IP addresses
5.1.128.0 - 5.1.255.255 E-Plus Mobilfunk GmbH
5.4.0.0 - 5.7.255.255 E-Plus Mobilfunk GmbH
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

I mentioned these IP addresses only for illustration.

Probably better to use something like x.x.5.5 to disguise real public IP addresses.
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Adam
Kind of a big deal

I’m trying to pin down your issue so i can more clearly understand and provide some things to try. So far I’ve understood that the clients on this network are directly being assigned public IPs. They can access everything public just fine but not the internal router?
Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
BrettV
Just browsing

Hi Khurram,

 

Did you ever figure this one out?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels