Wierd config question.....

Solved
OS-Cubed
Here to help

Wierd config question.....

Need feedback on this proposed config:

 

I am going to be retiring a set of Meraki MX/MS systems and the servers behind them that were configured as public pass-through for hosting websites.  The meraki and the switches and all servers behind it were configured with public IP addresses, but only certain ports were passed through the firewall.  the system was also set up for client VPN to handle managing it. Not all servers had ports pushed through as they weren't all web servers.  

 

All that was configured by myself and I know it well. In order to fulfill data retention requirements for some period of time I intend to move this entire set of servers and network equipment into a local setup - with all the settings remaining the same. I do not intend to make those addresses available from outside the local private network. What I would like to do this this:

 

* Set up a VLAN on my local network with the existing public IP address range (say it's 198.201.233.x/24 gateway 198.201.233.1- it's not but for the sake of the example)

* Set one port to default to that VLAN on either a meraki switch or on my mx.

* Connect the existing Meraki MX, configured as before, with the Internet part (configured for 198.201.233.2 with the .1 gateway). Connect the switch to the meraki mx, connect all the other devices to the same ports they were connected to on the Meraki switch, and power them up with their 198.201.233.x addresses intact.

* There will be one public facing MX router with a connection to the internet.

* The existing router will go behind the public facing one, and will not need ports punched through to it from the internet - it only needs to be internally accessible on the ports it's currently externally accessible from.  Internal devices will be on other private subnets behind the first firewall, but not the second.

 

Questions for the peanut gallery:

 

* I assume I should remove any meraki site-to-site VPN connections to the second MX as that won't resolve since it doesn't have a unique public IP (other than the same public IP as the main router)

* I assume that since I have a meraki behind a meraki I cannot client VPN into the relocated MX that is behind the first mx directly? They would both have the same public IP address, and punching ports through from the public facing mx to the private one would prevent public facing client vpn.

 

* I would need a locally connnected device in the 198.201.233.x range behind the second firewall to manage the devices in that network. and then a secure non-clientvpn way to access that device?

 

* Do i need to do anything special on the public facing meraki to reroute internal traffic intended for 198.201.233.x to the internal network rather than the external address.  I don't expect to be using that public ip range in the future (at least until my data retention contract runs out).  I am fine with rerouting it to the internal net indefinitely, and understand the ramifications of that.

 

I know this is a weird ask but assume it's doable with some limitations (like no direct client VPN)

 

1 Accepted Solution
OS-Cubed
Here to help

OK after much mucking around I got this all working. Some notes:

  • since the original router was part of a meraki VPN, when I attempted to create (after disconnecting the old router and bringing it in-house) the public IP Address range I desired as a VLAN it gave me a warning that it wouldn't route correctly (and in fact it did not).  I had to (temporarily):
    • Take the vlan range down to a /26 rather than a /24
    • Remove the moved meraki from the site to site VPN
    • Re expand the range to /24
  • I then ran into what I thought were additional problems. I could see all the devices inside the new VLAN when I was IN the VLAN but they could not see outside.  Turned out I had:
    • Plugged the switch they were plugged into into an access rather than a trunk port when rewiring it.  Thus I couldn't see the devices unless I was on the switch, rather than the outside network.  Rookie move but i wasted an  hour trying to figure out why the devices could see each other but  not the outside world, or the outside world see them.
  • The original router was set as a pass-through firewall with just certain ports passed through.  When it was on the site-to-site this didn't matter because I could see all ports once the vpn was established. After moving it i had to open up a couple ports for traffic to pass correctly between the 2 lans, but that was pretty easy and trivial and in fact increased security since now only that traffic passed.
  • I don't need to vpn into the double-natted device so I didn't bother trying to set client or site-to-site back up again.

 

Thanks for the help and pointers.  I basically relocated my entire web infrastructure off shared hosting and into an archival state in under a day.  Pretty good really.  Gotta love Meraki.

 

View solution in original post

5 Replies 5
cmr
Kind of a big deal
Kind of a big deal

1) AutoVPN can work on the MX behind the other MX, if IPSEC then you can allow it through

2) You can redirect the client VPN through the initial MX to the internal one, one way would be to have it appear as a different IP in the external range.

3) There are a lot of options here depending on what you do in 1) and 2)

4) If you want to use the non interface IPs behind the first MX, then you need port redirection to the internal devices

If my answer solves your problem please click Accept as Solution so others can benefit from it.
OS-Cubed
Here to help

so if I punch the ipsec ports through to the secondary MX, won't that intefere with VPN to the primary MX?  Just trying to think this through ahead of time.  My thought was:

 

* I have workstations that are between the two (behind the primary mx, but in front of the secondary) I can potentially cliend vpn to the secondary mx from those workstations to manage the devices behind the secondary MX - essentially as I do now to manage them over the autovpn. I'd just need to use client VPN instead of the current MX to MX autovpn, since it's behind the first MX now.  I can currently client VPN to my devices that are out there on the public internet using client vpn.

 

* I don't really need to remote into the stuff behind the secondary MX from the internet - in fact it would be preferable to NOT do that.

* I do know that I could punch remote desktop ports through to the secondary servers and limit them to the ip addresses of the primary network if necessary. Less secure though.

evaelfie
New here

Having two routers in series (the public-facing MX and the internal MX) might introduce double NAT issues, potentially affecting network performance and some applications.

OS-Cubed
Here to help

Well aware. In this case the moved servers are there only for backup and archive purposes and won't be able to be accessed from the internet at all, nor do they need to really access the internet (though they can) since once the retention period expires I'll be purging them.

OS-Cubed
Here to help

OK after much mucking around I got this all working. Some notes:

  • since the original router was part of a meraki VPN, when I attempted to create (after disconnecting the old router and bringing it in-house) the public IP Address range I desired as a VLAN it gave me a warning that it wouldn't route correctly (and in fact it did not).  I had to (temporarily):
    • Take the vlan range down to a /26 rather than a /24
    • Remove the moved meraki from the site to site VPN
    • Re expand the range to /24
  • I then ran into what I thought were additional problems. I could see all the devices inside the new VLAN when I was IN the VLAN but they could not see outside.  Turned out I had:
    • Plugged the switch they were plugged into into an access rather than a trunk port when rewiring it.  Thus I couldn't see the devices unless I was on the switch, rather than the outside network.  Rookie move but i wasted an  hour trying to figure out why the devices could see each other but  not the outside world, or the outside world see them.
  • The original router was set as a pass-through firewall with just certain ports passed through.  When it was on the site-to-site this didn't matter because I could see all ports once the vpn was established. After moving it i had to open up a couple ports for traffic to pass correctly between the 2 lans, but that was pretty easy and trivial and in fact increased security since now only that traffic passed.
  • I don't need to vpn into the double-natted device so I didn't bother trying to set client or site-to-site back up again.

 

Thanks for the help and pointers.  I basically relocated my entire web infrastructure off shared hosting and into an archival state in under a day.  Pretty good really.  Gotta love Meraki.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels