Meraki

mo_unify · ‎Aug 10 2021

Hey guys

Bit of a weird one, thought it was going to be easy but I may have overlooked what can be possible.

So I have an organisation that has a sub-company (separate entity), both use Meraki MX64.

Company 1 has a connection into the internet and Company 2 is using a NAT'd IP from Company 1.

Company 1 needs to be able to connect the computer in Company 2, so I've applied a Static route on the 10.0.99.0/24 subnet to route through 192.168.0.30.

In the traceroute and packet trace, I can see that any ping going to 10.0.99.3 successfully routes to the company MX64 but then packet doesn't get delivered, as if the MX64 in Company 2 doesn't know where to route the ticket or the Meraki is filtering/dropping the packet.

On the packet capture of the Company 2 I can see the ping request, but there is no reply!

What should I look out for?

Bruce · ‎Aug 10 2021

@mo_unify , the only way to do it with the NAT method is to enter every single IP address for the entire subnet... which isn't practical.

If you need an entire subnet opened then the best approach will be to log a ticket with support to get the Company 2 MX network enabled for No-NAT. When this has been done you can specify that NAT is not to be used on a specific WAN port, or a specific VLAN on a specific WAN port.

Just be aware that when No-NAT support is enabled it also enables the inbound firewall rules for independent configuration (so no longer tied to the NAT translations), but by default it allows everything inbound (generally not desirable) so you need to start by fixing that.

Once No-NAT is enabled, you can turn off NAT for the 10.0.99.0/24 VLAN, and then after adding a 'deny any any' rule to the inbound firewall you can then fine tune your rules to what you actually want.

View solution in original post

KarstenI · ‎Aug 10 2021

I do not really get your actual setup, but here is how I would implement it:

Connect both MXes with the WAN-ports to the internet.
Use a free port on both MXes to link both together
Configure a shared VLAN on both sides using this link
Configure static routes on both sides pointing to the other side
Configure the Firewalls to allow desired inbound access

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

mo_unify · ‎Aug 10 2021

I should have noted that the Company 1 and Company 2 are 150m apart and connected via a Wireless microwave link -so we're not able to do this

Bruce · ‎Aug 10 2021

@mo_unify, what you need to understand is that when a MX is operating in NAT/routed mode all traffic passing out through the WAN port is NATed (it’s actually a PAT) to the WAN IP address, and so from the outside there is no visibility (or knowledge) of any IP addresses on the inside - and to add to that the inbound firewall will drop the traffic. That’s the default setup.

Probably the easiest way to achieve what you’re looking for is to create a 1:1 NAT on the company 2 MX, with both the public/outside and private/inside address of the NAT being 10.0.99.3. By doing this you provide visibility from the outside of that IP address, and in the NAT configuration you also get to specify from which addresses traffic to this NAT is allowed from, which basically sets up the inbound firewall.

There are also other ways of achieving this, and as @KarstenI stated it’s worth having a look at the overall design to see if there is a better way of achieving your desired connectivity.

mo_unify · ‎Aug 10 2021

That works!

Is there anyway to open up the entire 10.0.99.0/24 subnet using this method, or do I have to define every endpoint within the subnet in order to open up the firewall?

Bruce · ‎Aug 10 2021