1:1 NAT to the Same IP Address

KRobert
Head in the Cloud

1:1 NAT to the Same IP Address

We have an interesting setup with one of our ISP connections. Comcast has provided a /27 to our network using what they call an Ethernet Dedicated Internet Circuit (EDI) where they provide their customers with a non-routable /30 (WAN) network and a publicly routable /27 LAN network. In order for you to use the /27, the customer needs to provide a router to route the traffic. Our environment is setup with an HA Firewall, an IPS/IDS, and multiple other edge devices so we cannot use our Firewalls to route this traffic. 

KRobert_0-1587472534833.png

In order to facilitate this,we are using a MX100 as a our "edge ISP" router. I worked with Meraki support and they stated that because the MX100 is performing NATs on all traffic to the /30, the Comcast router/modem isn't actually seeing the traffic coming from the /27 so the traffic drops. 

 

Per supports request, I setup my MX100 as follows:

Setup the Internet Port 1 with the WAN the /30 IP address.

Setup a VLAN on the MX100 that is a private network. In this example, we used 10.0.0.0/24

Assign our downstream devices to the private network VLAN.

Setup a 1:1 NAT on the MX100 that allows the private IP address to the public /27. 

 

Doing this was successful! However, this is an issue because I have reassign all of my downstream devices with private IP addresses. 

 

As a work around, I set my "private network" VLAN on the MX100 to what the /27 network is and my 1:1 NAT set so the Public IP and LAN IP are the same.

KRobert_1-1587473605818.png

 

This too is working successfully, but I'd like to know if the 1:1 NAT to itself is going to cause any issues, if this has ever been done, and if anyone has any suggestions. 

 

 

 

CMNO, CCNA R+S
6 REPLIES 6
jdsilva
Kind of a big deal

I looked into this style of 1:1 NAT a while back and as near as my testing could tell this works just fine. I also bounced it off a couple technical people on our account team and there were no objections to deploying it. It's a little weird to look at, and might confuse support folks unless it's ducmented properly, but it should be a perfectli viable solution. 

KRobert
Head in the Cloud

Thanks @jdsilva. I am looking at this too as more of a "networking concept in general" and if the 1:1 NAT to the same IP has any routing issues at its fundamental core. It definitely is a weird setup to look at, but overall I thought it made sense. 

 

 

CMNO, CCNA R+S
Nick
Head in the Cloud

I came across this exact setup today - it took a lot of head scratching for us to figure out what was going on. As the additional WAN subnet was not documented anywhere! So it appeared initially the MX was randomly routing IP addresses. 

 

But this seems to work just fine. This setup has an ISR down the line on a 1 to 1 NAT without issue 

KRobert
Head in the Cloud

Thanks @Nick . It is good to know that I am not the only one doing this. I added a comment in the Notes section of the appliance in case anyone is looking at it to help in the reduction of head scratching 😀

CMNO, CCNA R+S
Nick
Head in the Cloud

You're welcome it was a relief to find you doing this @KRobert 

 

I also did the same in the notes section 😆

JacoboLevy
Getting noticed

@KRobert I had the same issue and i had been fighting over a week with this.

 

THANKS!!!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels