Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About treimers
treimers
Here to help
Member since Jul 26, 2019
Jun 26 2022
Community Record
15
Posts
1
Kudos
0
Solutions
Badges
Jun 26 2022
1:10 PM
Hi all - Regarding clients - In the Meraki GO web portal, I can see the graphs of how many clients have been connected/passerby/visitors. But I can't get a list of additional details about those clients. I'd like to know mac address, device type (phone, laptop, etc), and especially when/how long they connected. Similar to what we can get out of Clients in the Enterprise Meraki dashboard. I know this is Go, so I'm not anticipating the down-to-the-URL details like Enterprise can do... but surely you can get a list of the clients, and I can figure out if my neighbors are using my wifi w/out my permission? This is for the WiFi Access Points only - I do NOT HAVE one of the security devices. For that, I have a Fortigate firewall --- if my Guest SSID was on a given Vlan, I'd be able to look there. (which is another question - I can't figure out how to tag SSIDs into a specific Vlan)
... View more
Jun 17 2021
5:33 AM
Hi -- So, it is not true that this should NOT be a problem for a CLIENT coming from "behind" the Meraki firewall, as a client would be source-ported higher than UDP/500 and UDP/4500? I can see the problem in having a Fortigate or other firewall BEHIND the Meraki, and having it trying to terminate incoming VPN sessions - when both it and the Meraki want to use UDP/500 However -- this is an IPSec client behind the Meraki launching an outbound VPN, going off into the Internets to talk to the Fortigate on the public Internet. I did try assigning a public IP (NAT) to my client PC behind the Meraki 450. That made no difference - the VPN session between my IPSec client and the Fortigate out on the Internet still failed to launch. Thanks Tim
... View more
Jun 14 2021
7:55 AM
A client on the inside is whitelisted. The Fortigate public IP has a permit any/any/pubIP/any rule I'll check that idea. The MX is supporting Meraki L2L VPN peers, so I can't disable that. We are NOT using any VPN that isn't Meraki based, insofar as what terminates on the MX-450. The Fortigate is not connected to our network in any way - it's a far-end public IP connection, with clients attempting to connect to it by going _through_ the Meraki along the way. Does the L2L Meraki VPN setup use IPSec and thereby UDP/500 and UDP/4500 ? or is that some proprietary non-IPSec setup from Meraki? We aren't doing client VPN on that firewall. Thanks Tim
... View more
Jun 11 2021
8:28 AM
Hi alll - I am trying to configure my MX-450 to allow an IPSec VPN tunnel from an NCP IPSec client on the inside of the MX to connect to a Fortigate 100F firewall on the outside. (The NCP client is the preferred client of the vendor involved - I cannot simply use the Forticlient, for those who might wonder. Nor can I ask the other company to switch to SSL VPN technology) I have a public IP for the Fortigate on the host VPN side -- when I route that IP through a non-Meraki firewall (an ASA), the VPN works fine - when I route that public IP through the MX 450, the IPSec tunnnel setup fails every time. I have a "permit any" rule allowing full unrestricted no-blocks access to that public IP in the Firewall rules in the MX. Seems like that should be sufficient to allow UDP/500 and other ISAKMP/IPSec traffic through? Is there somewhere else in the MX I have to go establish special rules or anything to allow IPSec passthrough to work right? Thanks TIm
... View more
Dec 5 2019
5:35 AM
Hi all - I have a hub and spoke VPN configuration - one core MX-450 at our main datacenter, and three or four remote sites with one or more subnets at each site. I'd like to control access to a few of those remote subnets that contain secure infrastructure. I've put rules into the remote MX-67, but they don't seem to be taking effect -- as if the VPN tunnel/subnets routed over the VPN are "bypassing" the ACLs applied. Do I need to do those ACLs to filter access to the remote subnets at the host side on the MX-450 instead of the remote side MX-67? If there's documentation on Meraki's site regarding the behaviour of firewall ACLs with VPN tunnels, I've not found it. Seems like there's documentation on VPNs, and then separate documentation on firewall rules. Thanks Tim
... View more
Dec 5 2019
5:30 AM
Thanks! Not what I wanted to hear, but..... We'll figure it out... Thanks Tim
... View more
Nov 5 2019
1:47 PM
Hi - I have a pair of redundant MX-450 firewalls (one license, two units), with a virtual IP between them, and separate public IP addresses for each physical unit. Also have various static NATs. I have a /26 public subnet from my ISP, so I have additional public IP addresses I can use. Is it possible to have various internal subnets be nat/port address translated to separate public IP addresses 'on the way out' through the MX? ie - Internal hosts 10.25.0.0/15 > nat outbound to 182.141.252.14/32 (not my real IP, but.. you get the drift) Guest network 192.168.25.0/23 > nat outbound to 182.141.252.214/32 (again...not mine, just an example) In an ASA, this would look like nat (inside) 1 10.25.0.0/15 global (outside) 1 182.141.252.14/32 for the internal traffic above and for guest nat (guest-dmz) 2 192.168.25.0/23 global (outside) 2 182.141.252.214/32 How can I do something similar with the MX-450? We desperately need for our internal traffic to be "appearing" on the public Internet from one public IP and our guest traffic to "appear" on the Internet from a different IP. Thanks Tim
... View more
Aug 26 2019
9:59 AM
How old are your units, JDSilva? If they're 4+ years old, there may be an issue here where yours are older/more reliable, and the units we've all purchased in the last year or two are having production quality issues.... T
... View more
Thanks everyone --- Researching now...
... View more
Aug 14 2019
7:31 AM
Hi all - Can someone summarize for me the various ways to manage "users" for WiFi access, NOT in a corporate AD-based environment? I have a public venue environment which is _not_ part of any enterprise-AD environment. They want to use/manage individual accounts for promoters/sales booth operators/audio-visual crews/sports event staff-coaches, when those various types of WiFi users are in the venue, as well as bill them (flat rate, not usage based) for WiFi access. Currently the venue does not allow wholesale public WiFi access, but may wish to do so down the road. I'm trying to figure out the most flexible approach for them to have 'user authentication' for specific SSIDs, used by visiting promoters/sales vendors in convention booths, etc. It's a bit confusing because Meraki tends to mix up "Administrators" with "users" as though it were a corporate network where everyone has an AD account and needs different levels of access, but all the admins and users are all from the same enterprise corporate account back end platform. I'm wondering if Meraki Radius in some manner is an easier way to go, for creating accounts that are good for a day or three, allow billing, etc? Thanks Tim
... View more
Jul 26 2019
12:41 PM
Hi Marc -- This is a Meraki to Meraki VPN. My comments surrounding Cisco were from the "if I had the same commands in Meraki" perspective. Not to confuse the issue and make people think one side was an ASA. I've done hundreds of VPNs on Cisco ASAs...works great...But too expensive now
... View more
Jul 26 2019
11:48 AM
yeah, next time I'll do that. Hopefully there won't be a next time, but still...
... View more
Jul 26 2019
10:28 AM
So, we do have a second MX -- that's what enabled me to reboot the primary unit without _serious_ problems, although we did lose connectivity on public safety apps for a moment -- Not the end of the world, but not how I like to treat public safety either.... The applications recover, but it's still unprofessional to have no other recourse except to reboot the entire firewall to reset the IPSEC parameters on just one of many VPN ipsec tunnels. I did talk to Support -- they made changes to the VPN registries available/known to the networks involved, but that wasn't the problem - I didn't have the ability to be on the phone with Support from where I was at the time of the outage. And - the other part of the question - Yes, there was traffic, the subnets full of Cisco phones and PCs on either end definitely were still trying to talk - this is not a lack of "interesting traffic" On an ASA, I'd have been able to do debug commands to see the ISAKMP attempted setups (or failures), and capture match traffic on the interesting traffic ACLs, etc. As it was - all I could see was that the endpoints on both sides could not see each other. Both MXes could see the MAC address of the other unit in ARP tables, but could not ping each other, but could ping other devices (gateway router, other public IP devices) in the same public-side IP subnet. Zero ability to see the tunnel "down" other than a red bar in the GUI --- zero ability to see lifetimes, keepalives, etc. That info should all be in the gui and monitorable in SolarWinds (or other SIEM/NMS). So much more info exists about an IPSEC tunnel - none of it is visible in the GUI, and not in logs. And no "button" to reset just one tunnel without dropping others.
... View more
Jul 26 2019
9:10 AM
Mainly just vpn changes over the last few weeks as the remote sites lose power during thunderstorms --- but none of those messages correspond to the timeframe, except when I rebooted the MX. The site where the fiber cut happened is a large one with full generator power.
... View more
Jul 26 2019
6:19 AM
1 Kudo
Hi all - I have an MX-450 that, among other functionality, supports multiple site-to-site VPNs to remote sites. Yesterday, we had a fiber cut that took down one of the multiple sites, which of course took down the VPN to that site. The other VPN site-to-site tunnels stayed up. After fiber service was restored, that MX-67 at the remote site became available on the Meraki Cloud again. But the VPN did not come back up, even after rebooting the remote MX-67W. In Cisco ASA-land, this would be resolved by "clear crypto isakmp sa <tunnel group>" and the matching ipsec clear command. That would reset just the one tunnel on the host ASA side, and allow the VPN to restart. I tried disabling/un-configuring the entire VPN config on the remote MX-67 - after 30 minutes, that hadn't done it. In my case - the only way to restore the VPN was to reboot the host-side MX-450, which was highly disruptive to many many more users-- including our entire police and fire department first responders in the field. Not good, Meraki... What is the equivalent command in the MX-450 to be less of a sledgehammer approach than rebooting the entire appliance as if it were consumer Linksys hardware? Thanks Tim to a problem affecting just one site?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 21877 |
© 2024 Cisco Systems, Inc.
