Solved: Meraki MX access to modem from internal?

chris-doro · ‎01-27-2025

We've a Zyxel-LTE-modem which is connected to WAN2 (backup) of Meraki MX75.
We'll install it on remote-site.
Is there a way to configure the Zyxel from remote?
It does not work over WAN, because Cellular-provider internal uses private IP-addresses, just NATing from inside to outside.
And the Zyxel-modem does not allow me to add static routes back to LAN, I just can add static routes to Cellular-WAN or ETHWAN.
Normally I like to do simple trick on firewalls, NATing the remote-mgmt IP-address to the local interface-ip-address where the device is connected (in this case WAN2).
But Meraki does not have this NAT-ability, I just have default NAT (inside - outside) or NAT from WAN to LAN.
Any way to solve this (just in case)?
Thanks.

liviu.gheorghe · ‎01-27-2025

I made a test with my Meraki setup in order to verify if 1:1 NAT configured in the MX solves the problem.

My setup is as follows:

Internet------Cisco LTE router--------------WAN2--Meraki MX------internal LAN (172.17.1.0/24)

192.168.100.1 192.168.100.2

Cisco router IP address: 192.168.100.1

Meraki MX WAN2 IP address: 192.168.100.2

My PC IP address: 172.17.1.16

I configured 1:1 NAT on the MX for WAN2 like in the attached screenshot.

From my PC I can ping the router address on WAN2 and also ssh to it:

liviu@Livius-iMac:~$ ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=11.682 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.561 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=7.712 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=5.891 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=7.638 ms
^C
--- 192.168.100.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.891/7.897/11.682/2.012 ms

liviu@Livius-iMac:~$ ssh 192.168.100.1
Password:

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

liviu.gheorghe · ‎01-27-2025

Have you tried 1:1 NAT? Configuring NAT for the address of your PC into an unused IP on WAN2?

I know the documentation positions it for access from outside to an inside resource, but it seems to me like a static NAT which can be used also from traffic originating on the inside interface and going to WAN2.

You can configure it by going to Security & SD-WAN -> Configure -> Firewall -> Forwarding Rules.

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

liviu.gheorghe · ‎01-27-2025

I made a test with my Meraki setup in order to verify if 1:1 NAT configured in the MX solves the problem.

My setup is as follows:

Internet------Cisco LTE router--------------WAN2--Meraki MX------internal LAN (172.17.1.0/24)

192.168.100.1 192.168.100.2

Cisco router IP address: 192.168.100.1

Meraki MX WAN2 IP address: 192.168.100.2

My PC IP address: 172.17.1.16

I configured 1:1 NAT on the MX for WAN2 like in the attached screenshot.

From my PC I can ping the router address on WAN2 and also ssh to it:

liviu@Livius-iMac:~$ ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=11.682 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.561 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=7.712 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=5.891 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=7.638 ms
^C
--- 192.168.100.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 5.891/7.897/11.682/2.012 ms

liviu@Livius-iMac:~$ ssh 192.168.100.1
Password:

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

chris-doro · ‎01-27-2025

thank you very much.
I'll try this.