1:1 NAT question

Solved
Toby
Getting noticed

1:1 NAT question

Hello!

 

I'm trying to set up a customer for MX going from ASA, but have ran into an issue regarding NAT.

 

It concerns 1:1 NAT, I've tried to set up this rule but it can't be configured since the hosts I'm trying to NAT is not on a subnet configured on the MX device. This is due to how the network is set up today and the goal is to try and make as few changes as possible to the network during the change from ASA to MX. I'm unsure if what I'm trying to accomplish is at all doable and which is why I'm asking this question here. If anyone have an idea on how to do this, I would be very grateful.


In summary: Can 1:1 NAT rules be configures on an MX device if the host resides on a subnet which is not configured on the MX device.

1 Accepted Solution
jdsilva
Kind of a big deal


@Toby wrote:


In summary: Can 1:1 NAT rules be configures on an MX device if the host resides on a subnet which is not configured on the MX device.


Yes, well no. Sorta. 🙂

 

It can't not be on the MX at all. You need a route at a minimum, but it doesn't have to be a configured VLAN/subnet.

 

If you do it without a route you get this:

 

image.png

 

But once you add a route:

 

image.png

 

It'll save just fine.

 

image.png

View solution in original post

4 Replies 4
MarcP
Kind of a big deal

You should just forward this NAT to the device which is responsible for the subnet.

 

Once I had szenario, nearly like yours, and have been told to do the following:

 

Lancom --> Meraki --> Camera

been told to configure the Lancom the Camera is "behind" the MX (configured next hop) and within the MX I did the forward, to destination.

 

Should be the same in your case, but you have Meraki first and then something else.

 

To be honest, it didn´t work at my scenario 😄

LINK to Post

jdsilva
Kind of a big deal


@Toby wrote:


In summary: Can 1:1 NAT rules be configures on an MX device if the host resides on a subnet which is not configured on the MX device.


Yes, well no. Sorta. 🙂

 

It can't not be on the MX at all. You need a route at a minimum, but it doesn't have to be a configured VLAN/subnet.

 

If you do it without a route you get this:

 

image.png

 

But once you add a route:

 

image.png

 

It'll save just fine.

 

image.png

BrechtSchamp
Kind of a big deal

@jdsilva Not sure if it actually works, but I could configure it without warning. Did you have a route to the 10.1.1.1 network?

 

Edit: Nvm. I need to learn how to read.

Toby
Getting noticed

Great, this works, thanks! 🙂
Get notified when there are additional replies to this discussion.