Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About mat1458
mat1458
Getting noticed
Member since Oct 23, 2018
Mar 26 2019
Kudos given to
Community Record
28
Posts
5
Kudos
0
Solutions
Badges
Jan 23 2019
3:38 AM
1 Kudo
Thanks Philip That explains everything clearly and my tests prove that you're right. Cheers Mat
... View more
Jan 23 2019
3:36 AM
1 Kudo
I did not yet know about the well-behaved part of the FW. But looking at it it makes a lot of sense in terms of economizing ports. Thanks for your endurance in answering my questions. Mat
... View more
Jan 22 2019
11:46 PM
Hi Philipp I have done further tests and I still can generate IP address overlaps. Just to make sure that I understand the concept of overlap checking in Meraki: Are the checks made per network bound to the same template (in which I define the uniqueness) or are the checks made based on the entire organization (all networks bound to a template and the ones that are not bound to a template)? Thanks for reading and supporting people. Mat
... View more
Jan 21 2019
8:08 AM
Thanks Brecht for all the time you dedicate to my issue. The way I see it there must be a mechanism in the ISP FW NAPT process that re-uses previously assigned source ports for different IP addresses in the outgoing direction (which makes sense from an economical assignment point of view). This way the hole punching basically opens the same port on the public side for all outgoing UDP connections from the same inside source address. That way the whole model can work. Kind regards and many thanks again. Mat
... View more
Jan 21 2019
6:04 AM
Hi Brecht Thanks for the answer and sorry for the delay. I still have a question. The way I understand PAT (NAPT) it always consists of a two tuples: one describing local SrcIP/SrcPort and the corresponding global SrcIP/SrcPort, the other one describing local DstIP/DstPort and the corresponding global DstIP/DstPort. Now for the MX1 this would be something like local IP10.1.1.1/UDP40001 and global IP1.2.3.4/UDP40001 to local 64.62.142.12/UDP9350 and global 64.62.142.12/UDP9350. This in my opinion punches a hole for the connection between the two endpoint IP addresses. When having a second MX2 behind the same ISP firewall the situation would look like that: IP10.1.1.2/UDP40001 and global IP1.2.3.4/UDP40002 to local 64.62.142.12/UDP9350 and global 64.62.142.12/UDP9350. The UDP port for both MXs differs on the outside, but in my opinion only for the communication to 64.62.142.12/UDP9350. When assuming that an access point tries to set up a connection to MX2 it sends a UDP packet to IP1.2.3.4/UDP40002. Since the public IP address of the access point is not known the packet is dropped at MX2's ISP FW. Now if the MX2 tries to open the communication to the AP: is there a rule for the ISP FW to use the same UDP port number (40002) to the different public IP address of the access point? Or is it just the way most of the NAPT devices work? Sorry to bother you again but maybe you can help me understand the process more profoundly. Kind regards Mat
... View more
Jan 15 2019
6:16 AM
Hi Brecht Thanks for your reply. But if I understand you correctly, the non-Meraki FW would change the port in your scenario. How can the Meraki VPN registry track the different outside port? In my opinion there is no direct relationship between the FW and the registry. So some messaging (error messages?) could be used for this update but I don't see any way, how to do this update. In my opinion it could only work, if the VPN registry remarks the duplicate port numbers before it announces them and urges one of the data center MXs to change it's source port and then re-announce it. Or Meraki relies on coincidence with the random function on the port range. Cheers Mat
... View more
Jan 14 2019
11:47 PM
Hi I want to have multiple MX of different organizations in a data center that hide behind a non-Meraki firewall. All MX are in the same subnet. The MX act as VPN concentrators for SSID tunnels to APs of multiple customers. If I have a look at the documentation on how the tunnels are invoked (https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_between_Cisco_Meraki_Peers) I see in the example that the SF-MX selects a UDP port for the tunnel source/destination dynamically. Is there a way to make sure that these ports do not overlap when I hide all data center MX behind the same IP address to the internet? Or in other words: what is the algorithm for an MX to choose a UDP port for VPNs? Any ideas are welcome. Cheers Mat
... View more
Dec 10 2018
1:41 AM
Hi Philipp even though in some configuration situations I received error messages about overlapping IP subnets and I was not able to proceed I was able to configure my network in a way to have overlapping IP subnets. This was the case when I added a spoke site that used the pool of IP subnets out of the template. I do not know why the tests work when trying to add a hub site with overlapping IP addresses but not in the case where a spoke site gets an IP address out of the pool. So I think that the best strategy is still to use non-overlapping address spaces for hub and spokes, but that was clear in the first place. Thanks for taking the time for replying my (silly) questions. Matthias
... View more
Dec 6 2018
5:52 AM
I have understood that for automatic address assignment in Site-to-Site VPN I have to use a template. With it each site gets its own IP addresses from a defined pool. For a hub and spoke network I need to configure the MXs as spokes. the hub site as I see it cannot be part of the template because of the selection of the type "Hub". If I want to select an IP address for a VLAN on the hub out of a range in the template that is used in the spokes: does the dashboard track the used IP subnet so that it is never assigned to a spoke? Or do I have to assign IP addresses in a different IP address range? (reason for asking: FW rules would be easier in general if IP addresses for VLANs with the same purpose could reside in a common address range)
... View more
Nov 20 2018
9:00 AM
If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC? If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?
... View more
Nov 14 2018
7:37 AM
1 Kudo
Thanks for the reply!
... View more
Nov 14 2018
5:42 AM
I have a one-armed MX VPN Concentrator that is located in a site that is connected over a network with an MTU of 1440. Is there a way to build a Teleworker VPN solution (MR AccessPoint SSID Tunneling) from other sites to this VPN concentrator? Is there a way to reduce the MTU on the MX or to switch on PMTUD in a way that the MX and the AccessPoint both reduce the size of the IP packets?
... View more
Nov 14 2018
3:41 AM
1 Kudo
Hi jdsilva Thanks for your reply and sorry for my late reply. That's indeed the way to go, L2TPv3 Tunnels or EoGRE would be others but due to technical restrictions I'll continue with your idea. Cheers mat
... View more
Oct 23 2018
9:56 AM
I would like to have a WLAN solution in which each site uses a separate VLAN for a specific SSID that is transferred over AutoVPN to a central site. Can I use an MX at the central site that still lets me separate all VLAN from the sites and how would I configure it at the central and remote sites? (Kind of a L2-site-to-site-VPN)
... View more
Kudos given to
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 6186 | |
| 1 | 6676 | |
| 1 | 3133 | |
| 1 | 2150 |
© 2025 Cisco Systems, Inc.
