Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About mpgioia
Community Record
11
Posts
2
Kudos
0
Solutions
Badges
Nov 27 2019
7:35 AM
I can do it.. No biggie.
... View more
Nov 27 2019
3:39 AM
Surely the two of you have raised this as 'make a wish' or whatever that feature is in the console/dashboard ? Or is there an 'ideation' area in the community for such a thing ? How do we get Meraki to inject this into its development cadence. The merit is blindingly obvious to attack..
... View more
Nov 25 2019
7:29 AM
1 Kudo
I'm going to have to get the other side to add them in.. (very silly/limiting), and then i'll firewall out the traffic. .. This is commoditised IPSEC S-2-S capability.. amazed you can't have a NEAR/FAR specified set per peer.. You can have FAR per peer.. but not NEAR.. :facepalm
... View more
Nov 25 2019
7:18 AM
I have a basic setup. 4 x Meraki MX's across 4 sites. All talking to each other via Meraki S-2-S VPN. Under ../manage/configure/vpn_settings I have the networks propagated with the drop down of 'VPN participation' : 'On'... they are two wide /16 networks. One of those four Meraki sites. has an additional peer to a Non-Meraki VPN implementation. I have three new routes (3 x more specific /24's in those greater /16 network's defined above) defined on the MX interfaces so I can also set the 'VPN participation' : 'On' for them too. Set up the peer as per normal. Here's the kicker. The far end implementation is seeing Phase 1 pass no probs, and even Phase 2, but then complaining of propagated proxy id's. It's seeing one of the wide /16 networks. Half understandable.. because.. for some reason.. we can't specify NEAR subnets in the non-meraki VPN peer setup ? Only FAR subnets ? (via the 'private subnets' field) ?! Surely, there's a way to do this...
... View more
Sep 8 2019
9:56 PM
Hang on... I want DNAT to a specific INSIDE LAN IP for certain ports. But then SNAT on that port bound to WAN IP to be on the standard SNAT overload the everything gets accumulated in. 'Static 1:1' NAT means.. whether its INGRESS or EGRESS .. for that port.. it'll use that different public ip .. and not the OVERLOAD that everything else gets accumulated. I think I achieve what I want with 'Port Forwarding Rules' (special INGRESS only.. right ?) .. but then notice you can't do ICMP with Port Forwarding.. #facepalm.. and you can't specify the public address.. it just forwards from the WAN IP... #doublefacepalm... NAT state-machine is such a commodity these days.. is it the UX that's the limitation.. maybe programmatic access you can leverage more flexibility ?
... View more
Sep 8 2019
8:44 PM
@PhilipDAth wrote: Outbound traffic that is not a 1:1 NAT will use the WAN interface IP address. ^^ Yes of course.. that makes sense.. ----------------------------- But both can't be done.. right ? I can't do a port translation as well as an address translation on a 1:1NAT. And, I definitely can't do the second question right ? As you said on the 'whole'.. right ?
... View more
Sep 8 2019
5:43 PM
NAT; port translation on a 1:1 NAT ? You can't do a port translation as well as an address translation with a "1:1 NAT" ? "1:Many NAT" looks like it can do it ? or... "Port forwarding" rule maybe looks like how to do it ? OS/NAT engine (or it's interface) seems limited... Secondly.. Let me explain a use case. I have three services. One public IP for DNAT. SMTP, RDP, HTTPS. SMTP I need it be to 1:1 .. Inbound hit the Public IP. When sourced outbound.. uses the same Public IP. RDP and HTTPS.. Inbound it to hit the Public IP referenced above. But if outbound traffic is seen with a dst of RDP, HTTPS, I need it to traverse the standard SNAT/SPAT overload.. not use the public set aside for DNAT's ONLY. How do I do that with this OS 😕 :confused :thinking_face.
... View more
Apr 12 2019
6:57 PM
1 Kudo
Yeh wow.. ok.. Any roadmap to include PBF/source based routing that we know of ?
... View more
Apr 12 2019
12:39 AM
What about if I have an MX with non-meraki / non-auto vpn peers.. can I policy based route destined to that vpn (instead of a default route 0.0.0.0/0, aka Internet route) ? @PhilipDAth.. and specifically in this instance.. I don't want any SNAT to occur .. even though it's bound out a WAN interface.. but technically to a non-meraki VPN peer destination. Will that work ?
... View more
Dec 2 2018
8:15 PM
The ACL state-machine/architecture doesn't seem like it facilitates blocking on non L4 protocols, aka L3 protocol ICMP ? https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation I can't block ICMP with this MS ACL engine ?
... View more
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
