Mx64 Configuration
Dagny Westall
The Meraki MX64 is an enterprise security appliance designed for distributed deployments that require remote administration. It is ideal for network administrators who demand both ease of deployment and a state-of-the-art feature set. This appliance provides the following new features:
All Meraki MX devices must have an IP address. This section describes how to configure your local area network before you deploy it. A local management web service, running on the appliance, is accessed through a browser running on a client PC. This web service is used for configuring and monitoring basic ISP/WAN connectivity.
The following is a brief overview only of the steps required to add an MX to your network. For detailed instructions about creating, configuring and managing Meraki networks, refer to the online documentation (documentation.meraki.com).
If an upstream firewall is already in place, it must allow outgoing connections on particular ports to particular IP addresses. The most current list of outbound ports and IP addresses for your particular organization can be found on the firewall configuration page in your dashboard.
By default all MX devices are configured to DHCP from upstream WAN / ISP servers. Simply plug the MX's WAN / Internet port to your upstream circuit and wait a few minutes for the unit to negotiate a DHCP address.
PPPoE authentication may be required if you are connecting MX device to a DSL circuit. You need to know your authentication option and credentials (supplied by your ISP) in order to complete these steps.
To configure physical link settings on the Ethernet ports, click Local status > Ethernet configuration. You can enable half duplex, full duplex, and auto-negotiation, as well as set 10- or 100-Mbps data rates.
If you are still experiencing hardware issues, please contact Cisco Meraki support by logging in to dashboard and using the Help option near the top of the page, then opening and email case or calling using the contact information on that page.
I am new to hardware firewalls so please excuse me if any of my questions are basic however I want to make sure I fully understand everything from the ground up. I have settled on Cisco Merakis and am just in the process of setting up my first unit - an MX64. There was already a basic BT smart hub in place providing internet connectivity to the network - this had an IP address of 192.168.16.254. So I connected my laptop to the meraki and went to the setup URL. Under uplink configuration I switched it to static IP and assigned it an IP address of 192.168.16.100, gateway of 192.168.16.254 (I realise that it wont work properly with the BT router but this was just a temporary measure to get it online so I can play around with the interface and work it all out), and 8.8.8.8 / 8.8.4.4 as the DNS servers. I plugged the WAN connection on the Meraki into the BT router and then LAN Port 1 into the main netgear switch. After a minute or so the Meraki status light went solid white indicating that it was functioning correctly and checking the status page read
Green tick at the top / Healthy: This security appliance is functioning normally.
Ethernet: This security appliance is directly connected to a local area network IP address: 192.168.16.100
Internet: This security appliance is connected to the internet.
Cisco Meraki Cloud: This security appliance is successfully connected to the Cisco Meraki Cloud.
My first question is: am I correct in thinking that at the moment the Cisco Meraki will NOT be able to provide basic functions like site to site or client VPNs because the built in firewall on the BT smart router which is acting as the internet gateway will block the relevant ports and generally conflict with the settings. In order for the Cisco Meraki to work properly the router that is acting as the gateway must be in bridge (correct term?) mode?
When you have clients directly behind a firewall, always the firewall will be the default gateway for these clients. Looking at the route a packet has to go, the first hop (router) from the client is the default gateway. In your case, it would be the Meraki.
thanks for the feedback! I am quite happy to replace the BT router with something more reliable - I am looking to standardise a setup that I can roll out elsewhere. What would you recommend as a good / reliable / easy to configure in bridge mode router?
I think I have everything setup correctly now but as its my first time with this combination of hardware I would feel a lot better if I could get a few second opinions to confirm its all secure and properly configured. First I disabled DHCP on the draytek vigor 2760 router and assigned it a static IP address. Then I enabled PPPoE PassThrough (see screenshot). I connected the WAN 1 port of the draytek into the internet port on the Cisco Meraki MX64 then connected LAN port 1 of the meraki into the main network switch.
I then setup a couple of port redirects for the CCTV and also a few client VPN connections - all of which worked perfectly. I have found the cloud based meraki dashboard great to work with. I think this is my hardware configuration of choice now to roll out at other installations - can I just get some feedback on if I have done it all correctly / securely please?
As much as I have seen from Meraki, their setup is far more logical and usable - up to the limitations their solution has. A logical and overseeable management is one of the most important things in security, when you want to avoid missconfiguration.
We reviewed the installation procedure you used in your ticket description, as well as brief look at your Dashboard configurations, and everything appears to be configured correctly from what we can see. In response to your specific inquiries:
1. The installation procedure appears to be correct and secure
2. Since you have directly configured your public static IP address on your MX, it is correct that the details page would be showing the public IP address as the WAN address for your MX, so this is correct.
3. The MX is a stateful firewall, so stateful inspection is in place automatically (this cannot be disabled).
I hope I'm missing something really simple, but how do you configure both the WAN 1 and WAN 2 ports to be static? In this case, I configured much of the unit via DHCP into the Internet port. I then changed port 4 to be WAN, with a static IP (with Internet port still DHCP). At that point, I connected the ISP modem to port 4 and connected Internet port to a non-DHCP ISP modem). After that, I checked the device's status and saw the WAN was that of port 4. I can't find any way to configure WAN 1 (Internet port) with the correct static IP info. If I disconnect port 4 and reconnect WAN 1 to DCHP, the unit gets back on the Internet, but it won't let me change the WAN info to static. I just get a yellow "!" and it never accepts the change.
Thanks for the response, JFM-FL. I had done local access for configuring the port 4, but I was hoping that I could make WAN 1 changes via the web interface. Having to be directly connected is going to be a very inconvenient element for my remote sites. My hope was that the Meraki cloud management was going to be more capable. Well, still figuring Meraki out, as it way different than all the other routers that I've worked with.
I'll have to keep testing, but that is not working for me. If I put in the IP address in for either WAN port, it simply times out. Have I overlooked a setting that allows remote access to the public IP(s)?
If you want to be able to get to its local status page remotely then you need to go to Security Appliance>Firewall and add your IP to the 'Web (local status & configuration)' section. Also go to Network Wide>General and check the 'Remote device status pages' setting and make sure it is set to 'Remote devices status pages enabled.'
I probably should have been more specific. So when I'm trying to reach a remote device while on my network, I can access the MX device of a remote branch by using the Private IP address of the MX device. For instance, my local branch is 192.168.1.0/24. The local IP for the MX device is 192.168.1.1. My remote branch is 192.168.2.0/24, with 192.168.2.1 being the local IP for that MX. If I want to view the config page of either device, I simply type in the private IP.
@Mr_IT_Guy At the time, I was working in an environment that was inside the router distributing the public IP. As I didn't have a loopback rule in place for the public IP, I was trying to use my phone to access the public IP. For whatever reason, it didn't work and I spent no more time on it, as I had local access. However, now that I'm at home, I can log into the static IP just fine and indeed get to the port config page, which is exactly what I was looking for. So, I now have everything configured correctly and the VPN is working just fine. Now on to figuring out routing on these units... Thanks for the help.
If you go to the IP address of the MX device (or type in setup.meraki.com), it will pull up the configuration page for the MX64. Click on the Configure tab and enter the admin credentials for that network. You should be able to now change WAN 1 and 2 to static.
@The_Livingstone, if you go to Security appliance > Monitor > Appliance Status you can click on the Uplink tab. Under the WAN section, it shows the IP on the WAN and it'll have either (DHCP) or (Static) next to it.
These issues are about to bring to hault a massive MX deployment to one of the largest C-Store chains in the US. We have support cases open under two organizations for these behaviors. For what it's worth, the customer orgs that are having these problems are on n82 and n219.meraki.com.
I have seen this behavior in some of my MX65's. The Cloud Dashboard says it's up to date but the device UI says it's only at 25%. I was successfully able to bring one device back to solid white LED after holding in the reset button for approximately 10 seconds or until the LED turned solid amber.
c80f0f1006