1:1 NAT Failover

Mosquitar
Here to help

1:1 NAT Failover

Hi All,

 

I need to setup 1:1 NAT on an MX250 so that in the event that my primary WAN uplink fails, inbound traffic will NAT via the secondary WAN uplink.

 

I have read the below guide that illustrates that a secondary NAT rule can be configured for failover using a different uplink, however, this uses a separate public IP address. In my scenario, the ISP will automatically advertise the /29 public IP address block via uplink Internet 2 (using static routes that are advertised into BGP) in the event that the primary internet connections fails. 

 

Is this possible on the MX? Unfortunately I dont have one available to test this with.

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

60fa5a60-acd5-4443-8642-f773c49ecf8b

7 REPLIES 7
MRCUR
Kind of a big deal

Are you unable to use a Virtual IP in this scenario and just connect WAN 1 port on each MX? This would allow you to leave the NAT rules alone. 

MRCUR | CMNO #12

Hi,

 

No this is not possible as its a single MX

 

Thanks,

Sorry forgot to mention - I'm only trying to achieve internet resiliency here and not MX appliance resiliency. When the primary internet circuit fails that carries the /29 prefix used for 1:1 NAT, I need that /29 prefix to route to the secondary internet connection, which is possible on the ISPs side, and NAT on the MX.

 

Essentially I will be duplicating the NAT rules for each uplink but I dont know if this is possible

I see two options.

 

1. Have the ISP terminate the two ISP connections onto a seperate switch, and then plug that into the WAN1 on your MX.

 

2. Have the ISP connect to each WAN port of the MX using a /30 stub.  Then route the /29 down one of the links, and in the event of a failure, route it over the other.  This approach is going to require you to have an exceptional ISP, so I would go with option 1.

Hi Philip,

 

Our ISP has checked and confirmed that option 2 is possible so that is not the issue. The issue is that I'm not sure if the MX will support the same 1:1 NAT rules via both Internet 1 and Internet 2 interfaces. For example, if my public IP block is 1.1.1.0/29 and public IP 1.1.1.1 NATs to internal 192.168.1.1 via Internet1 during normal operation, then what happens when the ISP detects a failure and routes 1.1.1.0/29 to Internet2? Can I setup the same NAT rules on both WAN uplinks to support this?

 

 Thank you

MRCUR
Kind of a big deal

I'm pretty sure you'll need to NAT to a different IP for the WAN 2 rule. Can you go for the other option @PhilipDAth presented so this isn't an issue? 

MRCUR | CMNO #12

Yes the MX can support having the same NAT on both WAN links. Here is the info on configuring it:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

 

You simply specify Uplink as Both.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels