Routing public addresses out of a remote MX

MarkT
Conversationalist

Routing public addresses out of a remote MX

Is it possible to route individual public IP addresses out of a remote sites MX.

 

This is because we have to whitelist the wan address of each MX on a number of Financial sites.

 

So from the Nottingham office I would like to route some traffic destined for these sites out of the London office.

 

Thanks in advance

 

Mark.

4 REPLIES 4
cmr
Kind of a big deal
Kind of a big deal

If you add a specific IP route on the HQ MX that points to the next hop on the internet link and that MX is part of the auto-VPN, you could choose to advertise it to the other sites.  That might work.

PhilipDAth
Kind of a big deal
Kind of a big deal

>If you add a specific IP route on the HQ MX that points to the next hop on the internet link 

 

Good thought @cmr but you can not add a static route via a WAN interface - only a VLAN interface.  However you are going in the correct direction.

 

@MarkT this is not easy to do in Meraki land.  What you basically have to do is have two MX at the HQ (or an MX and another firewall).

One MX runs in VPN concentrator mode, and is what all your AutoVPN connections terminate on, and it sits behind the next MX/firewall.  The other MX (or firewall) provides the actual connection to the Internet.  Now we use @cmr 's idea.  The VPN concentrator will allow the static route to now be added pointing to the other firewall (which is also its default route).  You can then publish this static route into AutoVPN.

cmr
Kind of a big deal
Kind of a big deal

Thanks @PhilipDAth we run our DC MXs in concentrator mode and do add external routes over the internet, wasn't sure if you could use the WAN interface in routed mode, glad you could clarify 😀

MarkT
Conversationalist

Thanks PhilipDAth this is the direction I was heading in, I'm fairly new to Meraki so wasn't sure if I was missing something in the config.

 

Thanks cmr for your quick response.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels