Topology question : MX64 behind ISP gateway router (client VPN requested)

Solved
FrederiqueC
Here to help

Topology question : MX64 behind ISP gateway router (client VPN requested)

Greetings.

 

I'm having this topology question. One of my customers is changing ISP and getting a new edge router which cannot be configured in bridged mode.  Behind it, I have a MX64 router which is currently configured in Routed Mode that ensures client VPN functionalities among other things.

Unfortunately, the ISP's router can not be changed since it also performs proprietary functionalities that are mandatory.

My question is : Do I need to switch to Passthrough Mode in order to get the Client VPN to work ? Or remaining in Routed Mode (with a static WAN RFC 1918 IP address ) and using "double NAT" (since it seems that Routed mode with no NAT is not possible on a Meraki) will suffice ?

 

Thanks you all for you insights on that matter.

Frederique C.

 

 

 

1 Accepted Solution
ErikS
Conversationalist

What we usually do in this case is set the MX64 up with a static IP in on the ISP modem/router subnet and configure port forwarding for it (ports UDP 500 & UDP 4500 for Client VPN). If the customer is running any other local services it may make sense to set the Meraki's IP up as DMZ host on the ISP modem/router.

 

There is an option avaible in beta firmware to disable the NATting on one or both uplinks, although I have never tried that personally.

View solution in original post

2 Replies 2
ErikS
Conversationalist

What we usually do in this case is set the MX64 up with a static IP in on the ISP modem/router subnet and configure port forwarding for it (ports UDP 500 & UDP 4500 for Client VPN). If the customer is running any other local services it may make sense to set the Meraki's IP up as DMZ host on the ISP modem/router.

 

There is an option avaible in beta firmware to disable the NATting on one or both uplinks, although I have never tried that personally.

FrederiqueC
Here to help

Hello,

Thank you for yuour answer.

I usually use this method with Cisco 800 routers (setting it as a DMZ host on the ISP router) but I was not sure that I could do  it with the meraki since I was not sure that NAT would not be in the way.

 

I'm quite new to Meraki config. and not used to these plus and Play interfaces 🙂 since I'm usually using 800/1900 Cisco Routers.So, correct me if I understood incorrectly, I can do whait I usually do : set the Meraki as he DMZ host of the ISP router and configure the Client VPN on the Meraki as if the Meraki was on the edge.

 

Thank you for your help,

Frederique

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels