meraki vpn

jprovine
Here to help

meraki vpn

I am trying to configure my juniper mx5 device to allow a connection to the internet for my meraki mx64 VPN device so it can connect to the cloud service I would appreciate any suggestions since I am new to juniper and meraki vpn

17 REPLIES 17
PhilipDAth
Kind of a big deal
Kind of a big deal

Log into the Meraki dashboard and in the top right hand corner go "Help/Firewall Info".  Those are the rules required that your Meraki network needs to talk to the cloud and operate correctly.

I do not have access to the dashboard I will need to contact someone who does. So is it an acceptable practice to connect the device to the juniper mx5 and then connect it to an internal network vlan? 

PhilipDAth
Kind of a big deal
Kind of a big deal

How come you don't have access to the dashboard?  You can no nothing without dashboard access.

 

Is there a reason you want to use two different firewalls?

 

Why not just connect the MX to the Internet and make life simple?

 

Also your post title mentions "VPN".  How does this fit into the picture?

I do not have access because the main office is suppose to be putting it in and manage it.  I don't remember saying I have two different firewalls. Currently it is on our internal network connected to the internet but now I have to connect it to the vlan that it will be servicing and again I have never worked with meraki, it was just brought to me to replace a vpn that is currently in place and on the Juniper MX5, they just wanted to plug and play but it did not work that way, I guess I could connect it to the internal vlan its supposed to be in and be done with it. It is a meraki VPN through their cloud services. Again I don't know much about it, because I was just asked to make it fit in our network, but I don't manage it

By the way great questions, its helping me make a better decision

@jprovine  The Juniper MX5 and Meraki MX are both router/firewalls.

 

If you don't have access to the Meraki dashboard you are up the creek without a paddle, you wont be abl to configure any VPN settings on the Meraki MX without dashboard access. 

If they have configured the WAN port correctly you should be able to unplug the WAN circuit from your Juniper firewall and plug it into the WAN port on your MX (probably labelled Internet1).

 

After a couple of minutes the LED on the front should change to white if it is working.

 

You should be able to plug in your internal network to one of the LAN ports on the MX.

 

 

You are going to need to reach out to the people that manage your network for more guidance.

I am the one that manages the network but I am very new and they just came here one day and expected to plug it into the VPN device that had before and thought it would work, But the VPN they are replacing is a point to point VPN and not a cloud service device. So would I be able to just plug it into the vlan it is intended for? It would have internet access

I did not know that the MX had lan ports but I will try that

Nash
Kind of a big deal

Okay, so it's point to point, and not client VPN. Do you know if they are using a third party tunnel or AutoVPN? 

The original VPN they are replacing was point to point and they are using the cloud service and it is set to DHCP to automatically get an IP address. We have it plugged into one of our vlans right now, the light is white and I have confirmed through the firewall that it has access to the cloud service but I don't know if there is a tunnel formed, I would assume I could see that if I had dashboard access

Nash
Kind of a big deal

Yes, you would be able to. White light is a good sign. Do you have an IP address on the other end of this tunnel, that you could try to ping from a device on the subnet associated with the MX's vlan? That's one way to see if the tunnel is up.

 

Depending on your company policy, they could provide you with a read-only account to view just your MX's network on the dashboard, btw.

The vlan we have it on where it is able to get to the cloud service and the light is white, if I move it to the vlan its supposed to be in can it get an new IP in that vlan or does it need to be reset? Does it need to be plugged into more than one port or is being plugged into the vlan it will live it enough to get it to pass traffic through the vpn? I have no idea what this vpn is even used for

Nash
Kind of a big deal

If it's set to DHCP, it will pick up a new IP address. If necessary, power cycle it.

 

I think you're really going to have to call home base and ask them what this thing is for and how they've deployed it elsewhere. There's no shame in being told "eh it's just plug and play" and then it just doesn't work. 

Yes already contacting them, but they were here a month ago and tried the plug and play and couldn't figure it out. your suggestion have been extremely helpful. As you said I need to know how they installed them at other locations and see if that can be done at our site

Brons2
Building a reputation

I've been asked to do a lot of (stupid/impossible/whatever) things in my IT career, but I've never been asked to configure a VPN with no administrative access to the device on my end of the connection.  What.  A.  Nightmare.

 

You need console access, period.  Only then can a process be developed that might, I repeat might, be plug and play in other locations.  And it's wasted effort if it's not documented.

 

$0.02

 

As for running two firewalls, it's not necessarily a problem, it's one way to slowly turn up a NGFW, while keeping the traditional IPs and Ports firewall in place.

Thanks for feeling my pain. My plan is to try to configure a port, which I don't know how to do, on our juniper to allow direct access to the internet in a secure way. Once it connects it should be plug and play. I talked more with those who are managing the device to get a better understanding of what they needed and what we were configured to do which is different from other location where they plugged the device into the ISP's router which gave them direct access to the internet. Hopefully I can find a juniper mx5 guru that knows how to do the port config I am talking about

Nash
Kind of a big deal


@jprovine wrote:

it was just brought to me to replace a vpn that is currently in place and on the Juniper MX5, they just wanted to plug and play but it did not work that way, I guess I could connect it to the internal vlan its supposed to be in and be done with it. It is a meraki VPN through their cloud services. Again I don't know much about it, because I was just asked to make it fit in our network, but I don't manage it

By the way great questions, its helping me make a better decision


What's the goal for the Meraki MX? Is it just to serve as a VPN concentrator? If so, you could ask your remote end if they've setup the Meraki MX as a one-armed VPN concentrator.

Or is it supposed to serve as a full firewall? Is it only intended to handle traffic for a single vlan, or for the entire network?

VPN only intended for one vlan only.  What if I just plug it into the vlan it was intended for, it would have access to the internet from there, do I really need to put it at the perimeter?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels