Meraki

Community

needed ports for one-armed concentrator

Solved
Tobias_Kuhnert
Here to help
‎Jan 18 2019 2:03 AM
‎Jan 18 2019 2:03 AM

needed ports for one-armed concentrator

Hi,

I currently have a deployment with about 40 sites connecting to a data center via internet and MPLS.
Our data center MX is behind a Sophos UTM in one armed concentrator mode.
On the Sophos UTM i created all the firewall rules for the ports, which the MX in dashboard under help -> firewall info is suggesting, but it seems that auto-vpn in automatic mode is not working properly.

I can also see in the logs of the UTM that the MX is trying to communicate over a lot of UDP highports - i guess this is related to the "automatic mode".

However, I'm not a big fan of those "any-any" firewall rules, so i am wondering if there is a recommendation for what ports are needed to be open from the MX to the internet and what ports may be needed to be forwarded from the internet to the MX appliance. i couldn't find any clear statement in the documentation on that.

Thank you.
Best regards
Tobi

0 Kudos
1 Accepted Solution
In response to BrechtSchamp
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 18 2019 11:03 AM
‎Jan 18 2019 11:03 AM

Here is the info on automatic NAT traversale, which governs how the ports get allocated:

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

 

You can also use a manual port forward for AutoVPN traffic - and it sounds like this might be what you would like to do.

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Aut...

View solution in original post

5 Replies 5
NolanHerring
Kind of a big deal
‎Jan 18 2019 6:44 AM
‎Jan 18 2019 6:44 AM

Assuming the MX can reach the Internet without issue?
Also assuming your using the Internet port on the MX in the data center when your connecting it to your core or wherever you have it connected.
Are you using a static IP for the MX at the data center? VLAN set correct etc.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

Routing
The MX acting as a VPN concentrator in the datacenter will be terminating remote subnets into the datacenter. In order for bi-directional communication to take place, the upstream network must have routes for the remote subnets that point back to the MX acting as the VPN concentrator.


Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
BrechtSchamp
Kind of a big deal
‎Jan 18 2019 6:51 AM
‎Jan 18 2019 6:51 AM

While the connection to the VPN registry is easily added to a firewall, in default settings (it's a UDP connection to 2 known IP addresses with dest port 9350), the actual VPN tunnels will be established using random outgoing ports, so it's impossible to limit these in the Sophos firewall.

 

Therefore you'll be better off manually configuring the NAT traversal so you can add the necessary port forwarding and firewall rules to your Sophos.

 

See here:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

Use manual NAT traversal when:

  • There is an unfriendly NAT upstream

  • Stringent firewall rules are in place to control what traffic is allowed to ingress or egress the datacenter

  • It is important to know which port remote sites will use to communicate with the VPN concentrator

 

Some other interesting links:

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Aut...

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

In response to BrechtSchamp
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 18 2019 11:03 AM
‎Jan 18 2019 11:03 AM

Here is the info on automatic NAT traversale, which governs how the ports get allocated:

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

 

You can also use a manual port forward for AutoVPN traffic - and it sounds like this might be what you would like to do.

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Aut...

In response to PhilipDAth
Tobias_Kuhnert
Here to help
‎Jan 22 2019 2:18 AM
‎Jan 22 2019 2:18 AM

Thanks for your answers.

i think we'll stick to limit the communication at least to the described UDP port ranges.

 

The problem with the manual port forwarding is that i can only configure 1 public IP... If we have a outage of the primary ISP in the data center then VPN wil not form over the backup ISP, right?

 

Thanks

0 Kudos
In response to Tobias_Kuhnert
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 22 2019 3:10 PM
‎Jan 22 2019 3:10 PM

Hmm, that is interesting.

 

I was just looking at a clients MX, and they have manual port forward configured and have dual WAN circuits.  We are using SD-WAN - and the WAN ports are running AutoVPN active/active - and it is working.

 

One thing of note though is that their WAN2 has a public IP directly on it - so no NAT is required for AutoVPN to WAN2.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.