Meraki

Community

Unable to open port for Veeam backup

smithgt
Conversationalist
‎Jan 30 2024 6:24 AM
‎Jan 30 2024 6:24 AM

Unable to open port for Veeam backup

I'm trying to open a port on our Meraki firewall for our Veeam cloud backup.

 

I've created a Forwarding Rule with the public port and local port for 6180 with the LAN IP that of the Backup Server.

 

I've allowed "any" for  Allowed remote IPs.

 

Using Portchecker the Meraki WAN IP the port is still reported as closed.

 

What else do I need to update other then the "Forwarding Rules"?

 

 

0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Jan 30 2024 6:29 AM
‎Jan 30 2024 6:29 AM

Is your mx connected  behind a ISP nat router?

 

You can verify if you mx uplink port is a public ip, and not private range ip

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Appliance_Status/MX_Uplink_Settings#WAN

0 Kudos
In response to ww
smithgt
Conversationalist
‎Jan 30 2024 6:43 AM
‎Jan 30 2024 6:43 AM

I don't know. Is it possible to tell from within the MX? 


Our ISP is Virgin Media, and they provide our static IP address.

 

Looking at the uplink configuration there is a Gateway IP address which seems belong to Virgin Media

0 Kudos
In response to smithgt
Brash
Kind of a big deal
Kind of a big deal
‎Jan 30 2024 7:58 AM
‎Jan 30 2024 7:58 AM

If you connect to the network and check your public IP address on a website such as the one below, does it match the IP address configured on your MX WAN port?

https://whatismyipaddress.com/

 

If not, you might be behind CGNAT and will need to request disabling it from your ISP. CGNAT addresses are typically in the IP Range of 100.64.0.0/10

0 Kudos
In response to smithgt
Rimccart
Meraki Employee
Meraki Employee
‎Jan 31 2024 8:46 AM
‎Jan 31 2024 8:46 AM

I would advise following some of the initial steps @ww suggested. 

We can confirm a NAT router in front of us by examining the Appliance status page and selecting the "uplink" tab. If the WAN reads a private IP, we are likely behind a NAT. Similarly to @Brash's comments, if we have a public address configured on the WAN port and the public IP under the "General" header is different, we could be impacted CGNAT. 

 

Another test to help confirm if the traffic is even reaching the MX is to take a packet capture on the MX WAN/internet port and then filter for either the public address initiating the connection to the server or the port the connection is to happen on (6180 in this case). 

 

The following documentation helps cover NAT and port forwarding troubleshooting:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Troubleshooting_Port_Forwarding_and_NAT_...

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 30 2024 2:41 PM
‎Jan 30 2024 2:41 PM

Can you connect to port 6180 locally on the Veeam server?  Perhaps it is being blocked by Windows firewall.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.