- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Public IPs not Pingable!
I have /28 Public IP pool and set my security appliance in NAT mode and given rest of the public IP addresses to my client through MS 220, 350 & 425. Clients are complaining that they can't ping and access public IPs from other ISPs.
Kindly help me to fix this issue.
Regards
Khurram Shahzad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest opening a case with Meraki Support for configuration assistance. Not sure if I understood your exact design requirement, but sounds like may want to configure the MX in NAT mode as an Internet-facing firewall and then have a DMZ VLAN configured with public-facing machines like a web server perhaps, along with internal VLAN(s) and some 1:1 NAT rules. Perhaps this Support doc might be useful. https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Securi... But I'd suggest opening a case with Support and include a network diagram with your addressing and describe the pings that are failing to you public IPs. If applicable, also check out the separate support docs on 1:1 NAT and port forwarding. https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT and https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M... Hope that helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your security appliance doing DHCP and giving your clients private IP addresses (which will then be NATed)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes my security appliance is assigning Private IP addresses to my client through DHCP but I have assigned Public IPs to some customers through that internet works fine but they cannot ping Public IP from other ISPs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Appliance > Firewall
When you setup the Public IP to LAN IP NAT you have to set the allowed inbound connections rule to:
Protocol: ICMP
Remote IPs: Any or a subnet if you want to be more specific on who can ping.
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear I am not assigning Private IPs to my client. I am assigning them public IPs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah so you are having issues pinging out? Any difference if you ping the IP directly vs name to make sure it isn't a DNS issue?
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have putted my case in cisco meraki but they are not providing me any solution even not bothering to reply on my emails. Kindly suggest the solution as I am losing my clients.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like @Adam, I can not clearly understand your configuration which is making it very hard to help you. Lets get specific.
Please answer these questions:
- The outside public IP address of the MX is:
- The internal IP address of a client is:
- The public IP address you are using for NAT to the above client is:
For the ping that does not work;
- The ping is being done from a machine with the IP address:
- The IP address being ping'ed is:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly see the topology diagram below and 5.5.5.0 is Public IP subnet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the diagram. Now give me an example of which of one of the devices depicted cannot get to what kind of destination?
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message."
So you mean if some external source tries to ping the 5.5.5.3 client they get request timed out or no replies?
If you are wanting publicly accessible IPs on your private clients I think you'd want to do either of the following.
1. Set the MX to passthrough mode
2. Keep the MX set to NAT mode and give your internal client machines some internal DHCP range of static IP's. For example if PC-PT had an internal static IP of 10.0.0.3. Then go to Security Appliance>Firewall and setup your 1:1 NATs and with selective "allowed inbound connection" firewall rules. Here would be a screenshot example.
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed with @Adam suggestion. It sounds like the MX is running in NAT mode and doing exactly what it should be doing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I set MX in Pass Through Mode should I still manage to apply layer 7 Policy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly reply if we set the MX in pass-through-mode do we still apply policies?
@khurram wrote:If I set MX in Pass Through Mode should I still manage to apply layer 7 Policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the policies should be applied in passthrough mode. It would be worth a try; however, I would recommend creating DMZs and NATting to private IPs to allow for more firewall rules to be managed more easily.
"An MX/Z1 in passthrough mode can be configured to perform a number of functions like when in NAT mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed:"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5.1.128.0 - 5.1.255.255 E-Plus Mobilfunk GmbH
5.4.0.0 - 5.7.255.255 E-Plus Mobilfunk GmbH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Khurram,
Did you ever figure this one out?