Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About confuzzled
Community Record
17
Posts
1
Kudos
0
Solutions
Badges
Oct 4 2017
1:14 PM
1 Kudo
No need to apologize @PhilipDAth, I think you're right. To add further complexity to this mess I inherited just over a year ago; the "idjut" that set it up internally matched our internal schema to the external WAN IP ranges, with the 10.x in the middle. example, if we had a public website and it was 164.x.x.5, we have 20 different ranged beginning with 164.x.x.x. So 164.x.x.x > 10.x.x.x > 164.x.x.x. Talk about a migraine. But now you know why I'm trying to replace these haha. But again thank you, this gave me several very good pieces of information, and I now can see that the assigning the public IP route is going to not only be way faster, but much much easier than trying to force it to work the other way. @Tat0rt0t Thank you as well for all of your considerable expertise, and also your willingness to break things down (including a demo map!) you guys rock. You've sold me that the public IP route is the best way to go on this.
... View more
Oct 4 2017
12:46 PM
I get what you're saying. but all our traffic for this site is going through that ASA. The 2900, as far as I know is only routing traffic from the ASA "outside" interface, the .18. I'd have to double check the config, but I'm pretty sure thats how its working. I'm guessing I'll just have to pursue the public IP route. Its probably for the best anyway; since we have outages all the time, and I cant be sure if they are from the rest of the state LAN or the ISP. This will at least clear that up and give us some insight as to who to hold accountable. Thank you very much for all your help!
... View more
Oct 4 2017
12:42 PM
Ha! I thought so. So, if thats the case, then we have a "zero nat" configured ASA. Not even kidding. And yes, the option to tie the .18 into a public IP has been there. I've been trying to get this to work "natively" because I'm pessimistic that come some kind of auditing time, they're going to say "well such and such agency (mine) does their own firewalls and security" - and then I'll be subject to the same level of reports, auditing, etc that they are. As it stands now, since we're basically a LAN segment, I can push a lot of the "blame back" so to speak. Looks like the public IP route might be the only option though. Thank you so very much for your help.
... View more
Oct 4 2017
6:01 AM
See, I've always been a little confused on this one. I've got plenty of lines of "route inside this" which, listed in ASDM are static routes. As far as NAT goes, however I have yet to see / find anything that specifically says what the config is for that on the ASA. My last attempt was about two hours of googlng and research and still came up empty handed and confused (could you tell from the screen name?). If you can steer me in the direction of what in the output of a sh run is considered 'NAT', or alternate commands to use / what to look at in ASDM, I'm all ears.
... View more
Oct 4 2017
5:52 AM
@Tat0rt0t - I hear what you're saying, I'm still not completely clear on it though. The way they've got their network setup, I won't be able to request the .16 network to have internet access, it would require too much reconfiguring on their part, plus they're happy with the way things are setup. My options at this point are to figure out if this can work "drop in place", or if I need to have .17 bound to an external IP, which we already know works, but bypasses the other agency firewall.
... View more
Oct 3 2017
3:40 PM
@PhilipDAth No restrictions on outbound traffic per the agency. Ping result to 8.8.8.8 is a negative ghostrider, both from the CLI and ASDM.
... View more
Oct 3 2017
3:31 PM
@Tat0rt0t Now that I think is exactly what I was looking for. The difference I can't seem to get anyone to tell me "why". So if that is correct, then I ask this question - "WHY"? Why? Why does an ASA "pass along" traffic to .17 and the MX says "noooo"? I'm completely not understanding the difference here, besides about two decades worth of technology difference between the Meraki company before Cisco bought it. The rest of your description sounds almost verbatim what I've heard from the sys admin III type that I'm working with trying to get this to work. So in basic networking terminology; the MX is designed to basically ignore TCP/IP principles, and the ASA isn't? So the ASA says "aww, screw it" and just throws traffic at .17, and the MX panics and says "I can't see the web! I cant see the web!" and never actually gets over itself? Btw, I just got the config. @PhilipDAth ! interface GigabitEthernet0/1 description Office of the State Engineer f/w outside ip address 10.x.x.17 255.255.255.252 no ip redirects no ip proxy-arp ip verify unicast source reachable-via rx ip nbar protocol-discovery duplex full speed 1000 ntp disable no cdp enable no mop enabled !
... View more
Oct 3 2017
2:46 PM
@Tat0rt0t, Your verbiage is correct. Thats exactly how they describe their 10.x network, internal only and "they aren't routing it". But if thats the case, then why on earth can the ASA get to the www and the MX can't?! As for the other items - I'd have to guess, since I don't have access to their devices. The 3750 has SFP connections, and the 2900 does not, so I'm guessing they are using it to pass the eth to fiber. The 2900 cannot be replaced at the moment. Long term, perhaps. This is also a "beta" setup which will need to be replicated at 6 other sites; so its very important that we figure out the problem and not start replacing equipment to try and force it to work; otherwise it'll get costly mighty quick. To your last, we can easily request that the .17 be assigned an external facing IP; thereby bypassing the rest of their network. That isnt what I want though, because that opens us up to being completely liable for our connection out to the web, and also adds our IP as an exclusion to their FW. (Ultimately - down the road this means when we get audited, I would have to do all the same paperwork they do). Thank you for your help!
... View more
Oct 3 2017
2:38 PM
Hi @PhilipDAth, I left the config at "auto". I also thought this shouldnt matter (although the thought did cross my mind that it might cause a problem). I'm still waiting on the external IP information from my cohort over at the other agency for the router.
... View more
Oct 3 2017
7:28 AM
@PhilipDAth let me see if my contact will provide that and allow me to post it. Standby.
... View more
Oct 3 2017
7:26 AM
@PhilipDAth First, thank you for being so helpful on all of this; I know this is entirely optional for you, so I really, really appreciate all the help and enthusiasm you've shown in trying to get this solved. My current Cisco ASA outside config as you requested: ! interface GigabitEthernet0/0 description outside speed 1000 duplex full nameif outside security-level 0 ip address 10.x.x.18 255.255.255.248 !
... View more
Oct 3 2017
7:24 AM
Good morning @PhilipDAth, The MX definitely has a link light, traffic too (or at least trying) - green and blinking. I have not tried a crossover cable though. I thought on Meraki's we did away with the whole crossover thing?
... View more
Oct 2 2017
10:22 PM
So I was able to get a test done this evening, mainly to see if we could get anything to show up on the local status page. I worked with the other state agency that we hand off to, who also made sure to manually flush the arp table. Unfortunately, no go. We were able to get a DNS error to go away, though. @PhilipDAth, in this case they are both private and non-routable (this is per the other IT guy). 1st, the local status page: https://1drv.ms/i/s!AnLjK1XRrLhQgbMtdr7NXy-In2cO5A So for grins, on the MX I'm using 10.x.x.18 255.255.255.248 Default Gateway 10.x.x.17 (Default Gateway is also the routers IP) Hope that clears that up.
... View more
Oct 2 2017
12:20 PM
Actually, that's exactly what Meraki support had me try. And here's the part where "everything I ever learned about networking..... doesn't apply today" comes in. And of course, it does not work. So they said "yeah, its not supposed to, because that 1st hop / the router IP isn't rout-able. They keep saying that, like its supposed to "explain everything" to me. So here's the crap-funnel down to the LCD (lowest common denominator) for me. Does a Cisco ASA have the ability; to "route" past a "non rout-able" IP, where the MX does not? Because apparently, that's exactly what our current ASA is doing, right now. Heck, I'm sending this message through it. Another thing I'm not that sure about - I'm looking at the ASA through ASDM, and it says firewall mode is "routed". Is that a key term for "extra special" meaning normal network rules don't apply? Other than that, I think I'll wait till after hours and see what the status page error looks like. Thanks @PhilipDAth
... View more
Oct 2 2017
5:35 AM
@lpopejoy, Thanks - I'm going to specifically ask about both arp caching and any other strange config on that Cisco 2900 "router" aka 1st hop. You're the 3rd person to mention it, and its starting to tickle my spidey senses (if more than one person says something - pay attention). Thank you for the feedback. I will email my contact now. Have a good Monday!
... View more
Oct 2 2017
5:19 AM
Hi Philip, Thank you for so much good info. Your opening statement matches mine as far as my understanding to how Meraki's work. Now comes all the "fun" parts. I've brought up the DNS part before - the "state agency that acts as our ISP" refuses to provide those internal DNS settings, citing security concerns. They are now some crazy cloak & dagger linux dns bank that no one is allowed to know what the IPs are except for them, was the summary of what I was told. I've been using google's 8.8.8.8 as my DNS1 when testing the Meraki and one of my internal DNS servers (which, to me seems like it wouldnt help a bit - but thats what you do out of desperation and when the response you get to your question of 'what DNS should I use' is a cryptic 'whatever you want'). To the rest of your excellent points (ty again by the way); The default gateway on the MX is set to the router's IP. This matches and is the same as what the current ASA has for its "route outside 0.0.0.0 0.0.0.0 10.x.x.x 1" entry / static route, which if my understanding is correct, that is the default route on the current Cisco ASA. I didn't know the status page reported anything, thats very good to know and I will definitely try that to see whats happening. As to the last part, yes the MX plugs directly into the "router" which is the evasive way I'm explained how this convoluted monkey they've got running is configured. I'm assuming that since the current ASA is plugged directly into this "router", that is the default gateway. I've also power cycled this "router", which is a Cisco 2900 something I haven't googled yet to see exactly what the heck it is. So yes, when testing the MX also gets plugged directly into it, restarted, to make sure that nice arp table gets flushed as you had mentioned. No VLAN tag that I am aware of.
... View more
Oct 1 2017
9:10 PM
Hi Meraki community, I'm having issues trying to setup my MX84. I'm working with support, but of course that's taking a while, and of course they always want to work on it when its convenient for them, and at the worst possible hours (like 10am on a Monday). We are a state agency, technically a LAN inside of a LAN. Our current ASA is a Cisco 5512 which I am attempting to clone the settings from, and plug into the MX84. I've been told "this can't work" by other state IT, and that they've attempted to get Meraki ASAs to work in this setup before, but were never successful. Currently, they claim the only way to have this work is to give the Meraki ASA a public IP. I do not think this is correct. When I simply plug in and allow the MX84 to pick up an IP from a DHCP range, (say, in my office) everything works great. Its connecting to the Meraki cloud and all the lights are green, etc. When I try to plug in the static settings and test it after hours from the config running on the 5512, the power LED stays red and I'm not able to get to it from the dashboard. So far, we've gone over every single detail I can think of. The "outside" IP settings of my current Cisco ASA match what I am putting in for a static IP on the Meraki (WAN2) port. It's 1st hop is a "router", an old Cisco 2900 series. From there the 2900 dumps into a Cisco 3750 switch, where it makes the transition from eth to fiber, and then hits the fiber box. From the 1st hop on is a different state agency in charge of "our internet service", so I cannot speak to how all of that is setup. I do have a very high level topo map, but that's it. The "agency in charge of our internet service" says the reason the 1st hop doesn't work for the Meraki is because that IP "isn't rout-able". They're using a 10.x.x.x network schema for their LAN. Our state's public IPs are 164.x.x.x. My befuddlement is that the current Cisco ASA is working quite fine with its 10.x.x.x address, and passing it along to the 2900, then the 3750, etc. When I try after hours to plug the Meraki in, no go. The latest troubleshooting method was to plug in a static route for the same address as the default gateway (which is also the first hop). The Meraki support guy I'm working with seems as confused as I am with why it isn't working. I'm a little frustrated since Cisco bought Meraki, I sort of thought this should be cake to them. My most recent idea tonight (Have the 2900 issue the static via DHCP to the Meraki) was shot down by the other state agency senior IT who said the 2900 as a layer 3 device could only act in the static role. Any help would be greatly appreciated. I think this can work, I think I may just be missing something simple / stupid.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 21268 |
© 2024 Cisco Systems, Inc.
