I want to put the Meraki behind a Palo Alto firewall and I need to know what ports I need to open. I try this a few times and my VPN to my office would not work. If I put it behind a ASA everthying works fine.
Hello. Say you have a Hub-Spoke network consisting of both a Private IP MPLS network and Public Internet network this and the Hub has a Palo Alto NG firewall
VPN Automated NAT traversal will not work as the PA randomly changes the outbound VPN UDP port. Therefore the remote peers keep sending the to the detination Hub IP but with changing the VPN NAT destination port matched. The PA sees changing ports from the same IP address an intrusion attack and blocks.
VPN Manual port forwarding allows only one Public IP:Port to be set. Therefore the remote peer that has a Private IP MPLS will not attempt to connect to the Hub MX using its internal IP address.
The solution was to create a 1-to-1 NAT on the Hub PA (specific external IP to Hub MX IP (real or virtual) and allow all Meraki VPN UDP ports
We had to set the static IP and port in the site-to-site settings as our Palo wasn’t allowing dynamic ports for the VPN connection. This forced the Meraki cloud VPNs to only use that specific port and IP to connect to the HUB. I’m just waking up I’ll send the relevant articles in a bit.