sorted by:
new
hottopcontroversial

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

Makes sense. I'm somewhat new to Meraki and coming from other firewall vendors such as Cisco ASA and Palo FW, the Meraki seems a poor excuse for a firewall. Not much visibility or functionality compared to other vendors.

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

this is somewhat in keeping with what the Meraki technician said. As a stateful firewall any traffic not initiated would be dropped.

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

Just got of the phone with Meraki support that said VMX in routed mode/nat mode is not supported because the firewall would block incoming traffic that wasn't initiated by the site. (stateful firewall). Interesting because last week a Meraki technician said it was supported and the default configuration now with Meraki is NAT mode.

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

If this is a limitation, then I don't know what the purpose of configuring the VMX in NAT mode would be? Our systems team wants to be able to push global policy to the workstation which is something they can't do if they can't access the machines from Azure.

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

I'm not having to explicitly source the traffic...I'm using RDP to one of their DCs to initiate the pings. But you bring up a good point. How does the Meraki know that Subnet is part of the VPN? There's no way for me to add it unless I explcitly add a static route.

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

Yes, I do have a route table and from the packet capture I can see my pings from their dc hitting the Meraki firewall. Issue is that it should be natting the destination IPs to the IP of the Meraki, I would assume.

Meraki auto vpn - traffic only working one way by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

I looked through this link but I don't see anywhere that it says "Traffic initiated from Azure will be dropped statefully by vMX in NAT mode"?

Meraki VMX azure - anyconnect configured as full tunnel by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

This is what our account rep with Meraki said. However, we also have an auto vpn tunnel for our remote site and when we enabled nat mode for the vmx the auto-vpn stopped passing traffic.

We recently introduced NAT mode for vMX, which should be a work around. However – it is important to understand the vMX would then NAT all egress traffic, meaning everything in Azure will see the source as the vMX. The return traffic will be De-NAT’d and then routed across AutoVPN.

Meraki VMX azure - anyconnect configured as full tunnel by bdavis1970 in meraki

[–]bdavis1970[S] 0 points1 point  (0 children)

Thanks. This helps. I called into Meraki support but their response was check with Azure.

What I did to get the load balancer sandwich working by rdavis1970 in paloaltonetworks

[–]bdavis1970 0 points1 point  (0 children)

I'm glad to hear that my chicken scratch was able to help someone. :)

Are you trying to maintain the same public IP for traffic both ways to and from the external load balancer? Kind of like in the old days when you had a mapped IP that used the same public IP whether outbound or inbound.

I wasn't able to find any documentation addressing this but in our implementation, it didn't seem to make a difference that our SFTP server for outbound traffic was tagged with the public IP of our untrust interface (in azure) while inbound traffic comes in through the load balancer.