Traffic flow, ip and ports between a on-prem MX 250B and external z3 and z4's

dtamburin
Just browsing

Traffic flow, ip and ports between a on-prem MX 250B and external z3 and z4's

I need to understand the traffic flow for the setup of a vpn tunnel between a on-prem MX 250B and a z3 and/or z4.

I also need to now what ports are required and ips.

 

As far as I understand at this time.

the Z3's register with a VPN registry, somewhere.

When they want to start a tunnel, the registry reaches out to the MX250 with their public ip.

Then the MX250 sets the tunnel up directly?

 

thanks,

Davidt

7 Replies 7
GreenMan
Meraki Employee
Meraki Employee

I'd really recommend having a read of this:
https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

Key point:    what you need to configure (assuming your MXs are claimed and have basic config) will appear under ? > Firewall info in the top right of the Dashboard.

dtamburin
Just browsing

Thanks, I did read that and everything is up and running fine. The issues are that security wants to lock communication to the bare minimum.

So I need to know what side initiates, what the traffic flow is etc.

 

Is that document saying that a tunnel is set up,  MX---registry---Z3 ?  or MX---Z3 after consulting the registry?  because if that is the case we would need all public ips.

 

ww
Kind of a big deal
Kind of a big deal

The vpn tunnel is setup between mx.

Ports used for IPsec tunneling:

 

Source UDP port range 32768-61000

Destination UDP port range 32768-61000

dtamburin
Just browsing

Between mx and the remote z3s?

MX must initiate it then, correct.

So we are looking at a rule...

MX internal ip (port range UDP 32768-61000), to any internet ip (UDP port range 32768-61000), for the tunnel?

Dont need any well known ike, ipsec ports etc, correct?

 

and then just a rule for MX to register with the meraki cloud.

 

 

ww
Kind of a big deal
Kind of a big deal

Tunnel is build from the public ip.

You need to check help>firewall info on the dashboard

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

PhilipDAth
Kind of a big deal
Kind of a big deal

All devices register their IP address and [usually dynamic] port with the VPN registry.

 

When any device (MZ, Z3, etc) needs a VPN to another device, it looks up the VPN registry to get the IP address and port of the other device, and builds a VPN directly to it.

dtamburin
Just browsing

thanks, makes sense.

 

So, we are going to need 2 rules on the edge corp firewall.

MX to registry.

MX to all the z3's and 4's when it wants to build a tunnel.

 

thank you for all your answers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels