Meraki

Community

Traffic flow, ip and ports between a on-prem MX 250B and external z3 and z4's

dtamburin
Just browsing
‎Jul 22 2024 8:53 AM
‎Jul 22 2024 8:53 AM

Traffic flow, ip and ports between a on-prem MX 250B and external z3 and z4's

I need to understand the traffic flow for the setup of a vpn tunnel between a on-prem MX 250B and a z3 and/or z4.

I also need to now what ports are required and ips.

 

As far as I understand at this time.

the Z3's register with a VPN registry, somewhere.

When they want to start a tunnel, the registry reaches out to the MX250 with their public ip.

Then the MX250 sets the tunnel up directly?

 

thanks,

Davidt

0 Kudos
7 Replies 7
GreenMan
Meraki Employee
Meraki Employee
‎Jul 22 2024 9:11 AM
‎Jul 22 2024 9:11 AM

I'd really recommend having a read of this:
https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

Key point:    what you need to configure (assuming your MXs are claimed and have basic config) will appear under ? > Firewall info in the top right of the Dashboard.

In response to GreenMan
dtamburin
Just browsing
‎Jul 22 2024 9:20 AM
‎Jul 22 2024 9:20 AM

Thanks, I did read that and everything is up and running fine. The issues are that security wants to lock communication to the bare minimum.

So I need to know what side initiates, what the traffic flow is etc.

 

Is that document saying that a tunnel is set up,  MX---registry---Z3 ?  or MX---Z3 after consulting the registry?  because if that is the case we would need all public ips.

 

0 Kudos
In response to dtamburin
ww
Kind of a big deal
Kind of a big deal
‎Jul 22 2024 10:57 AM
‎Jul 22 2024 10:57 AM

The vpn tunnel is setup between mx.

Ports used for IPsec tunneling:

 

Source UDP port range 32768-61000

Destination UDP port range 32768-61000

0 Kudos
In response to ww
dtamburin
Just browsing
‎Jul 22 2024 11:04 AM
‎Jul 22 2024 11:04 AM

Between mx and the remote z3s?

MX must initiate it then, correct.

So we are looking at a rule...

MX internal ip (port range UDP 32768-61000), to any internet ip (UDP port range 32768-61000), for the tunnel?

Dont need any well known ike, ipsec ports etc, correct?

 

and then just a rule for MX to register with the meraki cloud.

 

 

0 Kudos
In response to dtamburin
ww
Kind of a big deal
Kind of a big deal
‎Jul 22 2024 11:16 AM
‎Jul 22 2024 11:16 AM

Tunnel is build from the public ip.

You need to check help>firewall info on the dashboard

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 22 2024 2:03 PM
‎Jul 22 2024 2:03 PM

All devices register their IP address and [usually dynamic] port with the VPN registry.

 

When any device (MZ, Z3, etc) needs a VPN to another device, it looks up the VPN registry to get the IP address and port of the other device, and builds a VPN directly to it.

0 Kudos
In response to PhilipDAth
dtamburin
Just browsing
‎Jul 23 2024 4:46 AM
‎Jul 23 2024 4:46 AM

thanks, makes sense.

 

So, we are going to need 2 rules on the edge corp firewall.

MX to registry.

MX to all the z3's and 4's when it wants to build a tunnel.

 

thank you for all your answers.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.