Static Routes with 2 Meraki MX's across two different companies

SOLVED
mo_unify
Getting noticed

Static Routes with 2 Meraki MX's across two different companies

Hey guys

 

Bit of a weird one, thought it was going to be easy but I may have overlooked what can be possible.

 

So I have an organisation that has a sub-company (separate entity), both use Meraki MX64.

Company 1 has a connection into the internet and Company 2 is using a NAT'd IP from Company 1.

 

Company 1 needs to be able to connect the computer in Company 2, so I've applied a Static route on the 10.0.99.0/24 subnet to route through 192.168.0.30.

In the traceroute and packet trace, I can see that any ping going to 10.0.99.3 successfully routes to the company MX64 but then packet doesn't get delivered, as if the MX64 in Company 2 doesn't know where to route the ticket or the Meraki is filtering/dropping the packet. 

 

On the packet capture of the Company 2 I can see the ping request, but there is no reply! 

 

What should I look out for?

Screen Shot 2021-08-10 at 8.52.32 pm.jpg

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

@mo_unify , the only way to do it with the NAT method is to enter every single IP address for the entire subnet... which isn't practical.

 

If you need an entire subnet opened then the best approach will be to log a ticket with support to get the Company 2 MX network enabled for No-NAT. When this has been done you can specify that NAT is not to be used on a specific WAN port, or a specific VLAN on a specific WAN port.

 

Just be aware that when No-NAT support is enabled it also enables the inbound firewall rules for independent configuration (so no longer tied to the NAT translations), but by default it allows everything inbound (generally not desirable) so you need to start by fixing that.

 

Once No-NAT is enabled, you can turn off NAT for the 10.0.99.0/24 VLAN, and then after adding a 'deny any any' rule to the inbound firewall you can then fine tune your rules to what you actually want.

View solution in original post

5 REPLIES 5
KarstenI
Kind of a big deal
Kind of a big deal

I do not really get your actual setup, but here is how I would implement it:

  • Connect both MXes with the WAN-ports to the internet.
  • Use a free port on both MXes to link both together
  • Configure a shared VLAN on both sides using this link
  • Configure static routes on both sides pointing to the other side
  • Configure the Firewalls to allow desired inbound access

I should have noted that the Company 1 and Company 2 are 150m apart and connected via a Wireless microwave link -so we're not able to do this 

Screen Shot 2021-08-11 at 1.31.15 am.jpg

Bruce
Kind of a big deal

@mo_unify, what you need to understand is that when a MX is operating in NAT/routed mode all traffic passing out through the WAN port is NATed (it’s actually a PAT) to the WAN IP address, and so from the outside there is no visibility (or knowledge) of any IP addresses on the inside - and to add to that the inbound firewall will drop the traffic. That’s the default setup.

 

Probably the easiest way to achieve what you’re looking for is to create a 1:1 NAT on the company 2 MX, with both the public/outside and private/inside address of the NAT being 10.0.99.3. By doing this you provide visibility from the outside of that IP address, and in the NAT configuration you also get to specify from which addresses traffic to this NAT is allowed from, which basically sets up the inbound firewall.

 

There are also other ways of achieving this, and as @KarstenI stated it’s worth having a look at the overall design to see if there is a better way of achieving your desired connectivity.

mo_unify
Getting noticed

That works!

 

Is there anyway to open up the entire 10.0.99.0/24 subnet using this method, or do I have to define every endpoint within the subnet in order to open up the firewall?

Bruce
Kind of a big deal

@mo_unify , the only way to do it with the NAT method is to enter every single IP address for the entire subnet... which isn't practical.

 

If you need an entire subnet opened then the best approach will be to log a ticket with support to get the Company 2 MX network enabled for No-NAT. When this has been done you can specify that NAT is not to be used on a specific WAN port, or a specific VLAN on a specific WAN port.

 

Just be aware that when No-NAT support is enabled it also enables the inbound firewall rules for independent configuration (so no longer tied to the NAT translations), but by default it allows everything inbound (generally not desirable) so you need to start by fixing that.

 

Once No-NAT is enabled, you can turn off NAT for the 10.0.99.0/24 VLAN, and then after adding a 'deny any any' rule to the inbound firewall you can then fine tune your rules to what you actually want.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels