Question

Our Cisco Meraki MX security appliance is behind RUT 950 4G and shows "NAT type: Unfriendly. This security appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rules.". Unfriendly indicates that the upstream NAT won't allow the MX to use UDP hole punching to form the tunnel.

According to Cisco Meraki support, it needs a firewall upstream ports opening  UDP  ports 7351, 9350-9381, along with UDP 32768 - 61000. Destination IPs: 64.62.142.12/32, 158.115.128.0/19, 209.206.48.0/20, 216.157.128.0/20

Would you, please, advise how to properly configure RUN950 to allow those ports to destination internet Meraki.

Thanks in advance,

Yuriy

Answer 1

Hello,

  

To open the ports on the RUT950:

• Log into its WebUI;
• Navigate to Network → Firewall → Port forwards;
• Create a new rule for each port/port range;
• The IP addresses will need to be added for each rule. However, it is not possible to add IP address blocks to this rule, only the individual addresses, so if these ports are secure, simply leave the Source IP address field empty.
• Specify the internal IP address;
• Press Save & Apply;

However, if you are only using a single port on the RUT950, then I would recommend simply putting it into a bridge or passthrough mode, and letting the Cisco device handle everything else. This can be done by navigating to Network → Interfaces → General, editing the mobile interface, and changing it from NAT to Bridge. This way the RUT950 will act as a modem, and will pass the IP address received from the carrier straight into the Cisco device. Firewall rules will also not apply in this case.

   

Best regards,
DaumantasG