Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout Craig_Tompkins
Craig_Tompkins
Here to help
Member since Jun 5, 2020
Feb 10 2023
Community Record
16
Posts
0
Kudos
0
Solutions
Badges
Aug 8 2022
11:55 AM
As a followup - We did the port forwarding of port 55555 on the cable modem and then assigned that on the Manual NAT Traslation on the Meraki and it's working. Of note, Comcast would not let us sign up for a static IP, so we do understand that should the public IP of the cable modem change, this location will go down and we'll have to update the Manual settings.
... View more
Aug 2 2022
6:42 AM
I fond my answer in the documentation and will give this a try. Putting that info here to help future Google searches and I'll update our results when we have them. Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX-Z device using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX-Z device. Make sure the port number you have chosen is not already used by another service. For example, do not use port 500 or 4500 as these are used for Client VPN and 3rd party VPN peer communication.
... View more
Aug 2 2022
6:02 AM
Thanks for the info. Do we have to setup port forwarding on the cable modem? I notice if I change the radio button to Manual it asks for a port. How do we determine that? Or is it exactly that - I do port forwarding on the cable modem of a port that I pick, then tell the Meraki what that port is? Assuming that's it, I assume I would not have to do a static IP, but SHOULD do a static IP because if the users home IP ever changed it would break. And to be clear I would try to do so, but don't know how fast Comcast will be in doing so.
... View more
Aug 2 2022
5:33 AM
We have 40 networks each using site to site VPN. Of those 40, 2 are hubs (primary and DR datacenters). Because of some BGP complexity we have the other 38 sites doing site to site VPN to just 1 hub. If we ever fail to DR, I'll have to change the hub in use on the 38 spoke networks. I have 1 network using a Z3 that is behind Comcast cable modem at the President's house. It works fine most of the time. Then all of a sudden we'll get alert that VPN is down and the status page says it's behind NAT Type Unfriendly. The fix is to either reboot the Z3 multiple times or if that does not fix it, we have to call Meraki and ask them to change to registry. Changing the registry always fixes the issue....once we can convince the tech to do so by showing them 3 - 5 past cases where this has fixed the problem. If I add the DR site as a 2nd hub, it comes online. Because of the BGP routing mentioned above I don't keep the 2nd hub online, I just brought it online as a test. Does anyone have any suggestions? It's getting very tiresome having to call Meraki twice a month to get the registry changed.
... View more
Labels:
- Labels:
-
Auto VPN
Jun 18 2021
4:26 AM
I hate to say this, but I put this in as a "wish" about 4 years ago. I still want this option and that's what it should be - an option. In the 802.1x policy there should be a drop down or radio buttons or something that lets the network admin pick what they want to happen if the ISE server is offline.
... View more
Jun 9 2020
3:56 AM
The user is reaching out to Charter to request a modem changes as she currently has an Arris modem. We'll see if they are willing to swap it and if so, if that fixes the issue. Thanks for all the suggestions.
... View more
Jun 5 2020
10:08 AM
That's a great idea, except the user only has a zero client that connects to VMware Horizon and no personal computer we could use temporarily.
... View more
Jun 5 2020
9:40 AM
Charter Spectrum is a large cable company in the US. The Z3 does plug into the ISP router, the ISP router provides a private IP in the 192.168.20.0/24 range that it of course NATs. I'm not sure if there is an upgrade available or not. This user is about a 8 hour drive from me so I'm working on scheduling some time to visit when I have a couple locations to visit in the same trip. Probably 2 weeks. I hope someone might have experienced this before and have a possible fix for me before that time. I just have a feeling that when I get on site and call Charter the person I talk to is not going to have a clue what I'm talking about and either tell me it's an issue with my equipment and stop there (since we can browse the Internet) or if they do escalate it will be a week before they call back.
... View more
Jun 5 2020
7:54 AM
We have a user that has Charter Spectrum at her home. Currently she has a Cisco 5505 ASA using DHCP on the WAN connection and it's connecting to our corporate ASA without issue. As we are retiring our 5505s and moving to Meraki we have issued her a Z3 that was tested using DHCP on the WAN before being shipped to her. When she removes the Ethernet cable from the ASA and plugs it into the Z3, the Z3 comes online. However the site to site VPN does not get established. The VPN registry shows connected. NAT Type is Friendly. And it's encrypted. The HUB it's trying to connect to has 33 other networks that are all up on the site to site without issue. Packet capture from both the hub and the spoke show outgoing traffic but no incoming traffic. This tells me there must be a firewall or something between them that is blocking this traffic. Since my hub has so many other connections and doing a packet capture on my edge firewall (same device her 5505 connects to) shows the hub Meraki sending the traffic out, but no traffic from the spoke (same as the hub packet capture) my guess is that it's the Charter modem/router at her house or something at Charter. We have reset the Z3 to factory defaults. It checked in and download the config, but still have the same results. Has anyone had a similar issue with Charter or any ISP for that matter? This is the only location we have with Charter. Other networks have AT&T, Comcast, CenturyLink and others.
... View more
© 2025 Cisco Systems, Inc.
