Z3 Teleworker connecting to MX appliance behind a Firewall

Solved
KV
Just browsing

Z3 Teleworker connecting to MX appliance behind a Firewall

So, I am interested in getting some remote teleworker units - Z3s to be exact - and connect them to an MX appliance (MX250) at our main office.

The thing is, this MX appliance will not be our main exit point for the head office.  We are using our existing network still, and have no plans to change this in future yet.  This MX unit will therefor sit behind a firewall and handle all the Auto VPN requests only. 

It will then also be connected to our internal network, in order to serve the VPN clients with their internal site details.

As a simple topology, this is what we have in mind:

KV_0-1605520439780.png

With the Meraki unit hanging internally, in order to provide internal VLANs for the users.  I can connect this unit to our internet circuits directly, but I do not want to bypass the firewall at the main site, so choose not do do this. 

 

Is opening up the necessary ports for this unit all we really need to do to make this work? 

Has anyone actually done this before and gotten it to work? 

Would we only then need the Enterprise LIC, as technically that is the only function of the MX in this regard?

1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

@KV we run the setup you have proposed using Enterprise licensing.  All we allowed was standard Meraki ports outbound from the VPN concentrator MX HA pair IP on our edge firewalls.  We have currently a Z3, MX64 and MX65 all on different public networks, but being part of the corporate SDWAN, other MXs are on private MPLS WANs.

 

Been working fine for a couple of months (public units) and rest running for over a year on the MX15 release train.

 

The edge firewall vendor can make a difference, I've seen elsewhere on the forums that Palo Alto don't play nicely with ISP failover in this setup.  Ours are fine and the Z3 etc. Survived 2/3 of our ISPs going down, leaving only the tertiary alive.  Didn't even see an issue from their perspective.

 

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

2 Replies 2
cmr
Kind of a big deal
Kind of a big deal

@KV we run the setup you have proposed using Enterprise licensing.  All we allowed was standard Meraki ports outbound from the VPN concentrator MX HA pair IP on our edge firewalls.  We have currently a Z3, MX64 and MX65 all on different public networks, but being part of the corporate SDWAN, other MXs are on private MPLS WANs.

 

Been working fine for a couple of months (public units) and rest running for over a year on the MX15 release train.

 

The edge firewall vendor can make a difference, I've seen elsewhere on the forums that Palo Alto don't play nicely with ISP failover in this setup.  Ours are fine and the Z3 etc. Survived 2/3 of our ISPs going down, leaving only the tertiary alive.  Didn't even see an issue from their perspective.

 

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
KV
Just browsing

That is some awesome news. A noteworthy comment about the PA firewalls.  I also heard about some difficulty with WFH solutions involving them, but nothing concrete.

 

I will give this a go ahead then and try it out asap

Thank you so much for your input cmr

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels