Community Record
15
Posts
1
Kudos
0
Solutions
Badges
Dec 5 2019
5:35 AM
Hi all - I have a hub and spoke VPN configuration - one core MX-450 at our main datacenter, and three or four remote sites with one or more subnets at each site. I'd like to control access to a few of those remote subnets that contain secure infrastructure. I've put rules into the remote MX-67, but they don't seem to be taking effect -- as if the VPN tunnel/subnets routed over the VPN are "bypassing" the ACLs applied. Do I need to do those ACLs to filter access to the remote subnets at the host side on the MX-450 instead of the remote side MX-67? If there's documentation on Meraki's site regarding the behaviour of firewall ACLs with VPN tunnels, I've not found it. Seems like there's documentation on VPNs, and then separate documentation on firewall rules. Thanks Tim
... View more
Dec 5 2019
5:30 AM
Thanks! Not what I wanted to hear, but..... We'll figure it out... Thanks Tim
... View more
Nov 5 2019
1:47 PM
Hi - I have a pair of redundant MX-450 firewalls (one license, two units), with a virtual IP between them, and separate public IP addresses for each physical unit. Also have various static NATs. I have a /26 public subnet from my ISP, so I have additional public IP addresses I can use. Is it possible to have various internal subnets be nat/port address translated to separate public IP addresses 'on the way out' through the MX? ie - Internal hosts 10.25.0.0/15 > nat outbound to 182.141.252.14/32 (not my real IP, but.. you get the drift) Guest network 192.168.25.0/23 > nat outbound to 182.141.252.214/32 (again...not mine, just an example) In an ASA, this would look like nat (inside) 1 10.25.0.0/15 global (outside) 1 182.141.252.14/32 for the internal traffic above and for guest nat (guest-dmz) 2 192.168.25.0/23 global (outside) 2 182.141.252.214/32 How can I do something similar with the MX-450? We desperately need for our internal traffic to be "appearing" on the public Internet from one public IP and our guest traffic to "appear" on the Internet from a different IP. Thanks Tim
... View more
Thanks everyone --- Researching now...
... View more
Aug 14 2019
7:31 AM
Hi all - Can someone summarize for me the various ways to manage "users" for WiFi access, NOT in a corporate AD-based environment? I have a public venue environment which is _not_ part of any enterprise-AD environment. They want to use/manage individual accounts for promoters/sales booth operators/audio-visual crews/sports event staff-coaches, when those various types of WiFi users are in the venue, as well as bill them (flat rate, not usage based) for WiFi access. Currently the venue does not allow wholesale public WiFi access, but may wish to do so down the road. I'm trying to figure out the most flexible approach for them to have 'user authentication' for specific SSIDs, used by visiting promoters/sales vendors in convention booths, etc. It's a bit confusing because Meraki tends to mix up "Administrators" with "users" as though it were a corporate network where everyone has an AD account and needs different levels of access, but all the admins and users are all from the same enterprise corporate account back end platform. I'm wondering if Meraki Radius in some manner is an easier way to go, for creating accounts that are good for a day or three, allow billing, etc? Thanks Tim
... View more
Jul 26 2019
12:41 PM
Hi Marc -- This is a Meraki to Meraki VPN. My comments surrounding Cisco were from the "if I had the same commands in Meraki" perspective. Not to confuse the issue and make people think one side was an ASA. I've done hundreds of VPNs on Cisco ASAs...works great...But too expensive now
... View more
Jul 26 2019
11:48 AM
yeah, next time I'll do that. Hopefully there won't be a next time, but still...
... View more
Jul 26 2019
10:28 AM
So, we do have a second MX -- that's what enabled me to reboot the primary unit without _serious_ problems, although we did lose connectivity on public safety apps for a moment -- Not the end of the world, but not how I like to treat public safety either.... The applications recover, but it's still unprofessional to have no other recourse except to reboot the entire firewall to reset the IPSEC parameters on just one of many VPN ipsec tunnels. I did talk to Support -- they made changes to the VPN registries available/known to the networks involved, but that wasn't the problem - I didn't have the ability to be on the phone with Support from where I was at the time of the outage. And - the other part of the question - Yes, there was traffic, the subnets full of Cisco phones and PCs on either end definitely were still trying to talk - this is not a lack of "interesting traffic" On an ASA, I'd have been able to do debug commands to see the ISAKMP attempted setups (or failures), and capture match traffic on the interesting traffic ACLs, etc. As it was - all I could see was that the endpoints on both sides could not see each other. Both MXes could see the MAC address of the other unit in ARP tables, but could not ping each other, but could ping other devices (gateway router, other public IP devices) in the same public-side IP subnet. Zero ability to see the tunnel "down" other than a red bar in the GUI --- zero ability to see lifetimes, keepalives, etc. That info should all be in the gui and monitorable in SolarWinds (or other SIEM/NMS). So much more info exists about an IPSEC tunnel - none of it is visible in the GUI, and not in logs. And no "button" to reset just one tunnel without dropping others.
... View more
Jul 26 2019
9:10 AM
Mainly just vpn changes over the last few weeks as the remote sites lose power during thunderstorms --- but none of those messages correspond to the timeframe, except when I rebooted the MX. The site where the fiber cut happened is a large one with full generator power.
... View more
Jul 26 2019
6:19 AM
1 Kudo
Hi all - I have an MX-450 that, among other functionality, supports multiple site-to-site VPNs to remote sites. Yesterday, we had a fiber cut that took down one of the multiple sites, which of course took down the VPN to that site. The other VPN site-to-site tunnels stayed up. After fiber service was restored, that MX-67 at the remote site became available on the Meraki Cloud again. But the VPN did not come back up, even after rebooting the remote MX-67W. In Cisco ASA-land, this would be resolved by "clear crypto isakmp sa <tunnel group>" and the matching ipsec clear command. That would reset just the one tunnel on the host ASA side, and allow the VPN to restart. I tried disabling/un-configuring the entire VPN config on the remote MX-67 - after 30 minutes, that hadn't done it. In my case - the only way to restore the VPN was to reboot the host-side MX-450, which was highly disruptive to many many more users-- including our entire police and fire department first responders in the field. Not good, Meraki... What is the equivalent command in the MX-450 to be less of a sledgehammer approach than rebooting the entire appliance as if it were consumer Linksys hardware? Thanks Tim to a problem affecting just one site?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 30656 |
