Meraki

Community

1:1 NAT Failover

Mosquitar
Here to help
‎Nov 12 2018 10:00 AM
‎Nov 12 2018 10:00 AM

1:1 NAT Failover

Hi All,

 

I need to setup 1:1 NAT on an MX250 so that in the event that my primary WAN uplink fails, inbound traffic will NAT via the secondary WAN uplink.

 

I have read the below guide that illustrates that a secondary NAT rule can be configured for failover using a different uplink, however, this uses a separate public IP address. In my scenario, the ISP will automatically advertise the /29 public IP address block via uplink Internet 2 (using static routes that are advertised into BGP) in the event that the primary internet connections fails. 

 

Is this possible on the MX? Unfortunately I dont have one available to test this with.

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

60fa5a60-acd5-4443-8642-f773c49ecf8b

0 Kudos
7 Replies 7
MRCUR
Kind of a big deal
‎Nov 12 2018 11:15 AM
‎Nov 12 2018 11:15 AM

Are you unable to use a Virtual IP in this scenario and just connect WAN 1 port on each MX? This would allow you to leave the NAT rules alone. 

MRCUR | CMNO #12
0 Kudos
In response to MRCUR
Mosquitar
Here to help
‎Nov 12 2018 11:32 AM
‎Nov 12 2018 11:32 AM

Hi,

 

No this is not possible as its a single MX

 

Thanks,

0 Kudos
In response to MRCUR
Mosquitar
Here to help
‎Nov 12 2018 11:38 AM
‎Nov 12 2018 11:38 AM

Sorry forgot to mention - I'm only trying to achieve internet resiliency here and not MX appliance resiliency. When the primary internet circuit fails that carries the /29 prefix used for 1:1 NAT, I need that /29 prefix to route to the secondary internet connection, which is possible on the ISPs side, and NAT on the MX.

 

Essentially I will be duplicating the NAT rules for each uplink but I dont know if this is possible

0 Kudos
In response to Mosquitar
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 12 2018 3:27 PM
‎Nov 12 2018 3:27 PM

I see two options.

 

1. Have the ISP terminate the two ISP connections onto a seperate switch, and then plug that into the WAN1 on your MX.

 

2. Have the ISP connect to each WAN port of the MX using a /30 stub.  Then route the /29 down one of the links, and in the event of a failure, route it over the other.  This approach is going to require you to have an exceptional ISP, so I would go with option 1.

0 Kudos
In response to PhilipDAth
Mosquitar
Here to help
‎Nov 13 2018 5:30 AM
‎Nov 13 2018 5:30 AM

Hi Philip,

 

Our ISP has checked and confirmed that option 2 is possible so that is not the issue. The issue is that I'm not sure if the MX will support the same 1:1 NAT rules via both Internet 1 and Internet 2 interfaces. For example, if my public IP block is 1.1.1.0/29 and public IP 1.1.1.1 NATs to internal 192.168.1.1 via Internet1 during normal operation, then what happens when the ISP detects a failure and routes 1.1.1.0/29 to Internet2? Can I setup the same NAT rules on both WAN uplinks to support this?

 

 Thank you

0 Kudos
In response to Mosquitar
MRCUR
Kind of a big deal
‎Nov 13 2018 7:03 AM
‎Nov 13 2018 7:03 AM

I'm pretty sure you'll need to NAT to a different IP for the WAN 2 rule. Can you go for the other option @PhilipDAth presented so this isn't an issue? 

MRCUR | CMNO #12
0 Kudos
In response to Mosquitar
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 13 2018 10:16 AM
‎Nov 13 2018 10:16 AM

Yes the MX can support having the same NAT on both WAN links. Here is the info on configuring it:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

 

You simply specify Uplink as Both.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.