Re: VPN recommendations?
The port forwarding only applies to manual NAT traversal. If you use auto NAT traversal, it takes care of that. Because all of the connections are coordinated through the dashboard, the Auto-VPN will typically work even if all nodes are behind NAT. I've used them on the end of Verizon (CG-NAT) connections and they work fine. I have had one instance where three of them were behind the same single IP NAT and the third would fail to connect. We had to get one of them moved to a different NAT IP to solve that. If you're looking for a simple to use, easy to manage VPN appliance, the MX (and Z) Meraki products will work. The config is entirely handled through the dashboard, so no-touch, drop ship deployments are an option. You can provide view only access to users per network, so the customer or a first level tech could be given the ability to look but not break anything. All of the MX and Z products will work in a single VPN, so you can pick the device that best fits the requirements. For a small office with one or two people, the Z3 works great, it even has one PoE port for an IP phone. For larger sites or the core site, they go up to 6Gb (I think) of throughput for the MX450, with redundant power and uplinks. As others have pointed out, they are license based and they don't work without a license, and they are a Cisco product, so pricing will depend on how good your relationship is with your Cisco rep. :) One big caveat: they are still lacking in the IPv6 realm so if that is a requirement, they won't work right now. --Rich
Meraki MX series? Dynamic IPs and NATs don't really cause them a
---------- Forwarded message ---------- From: William Herrin <bill@herrin.us> To: Shawn L <shawnl@up.net> Cc: "nanog@nanog.org" <nanog@nanog.org> Bcc: Date: Thu, 10 Feb 2022 10:54:39 -0800 Subject: Re: VPN recommendations? On Thu, Feb 10, 2022 at 10:18 AM Shawn L <shawnl@up.net> wrote: problem. Some CGNats do (AT&T I'm looking at you).
Thanks Shawn,
The documentation I found at
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settin... suggests that the NAT firewall has to be explicitly configured to deliver UDP 500/4500 to the Meraki behind it. Are you aware of any documentation that describes:
LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN
Where the left-side Meraki is responsible for establishing and keeping the NAT translations alive without any special configuration on the NAT?
Regards, Bill
-- Rich Greenwood Network Engineer Shasta County Office of Education Information Technology 1644 Magnolia Ave. Redding, CA 96001 Office: 530-225-0161 Hotline: 530-225-0279 rgreenwood@shastacoe.org
participants (1)
-
Rich Greenwood