1:Many NAT to VPN hosts

JoelKelley
Here to help

1:Many NAT to VPN hosts

Working on planning out the conversion of a long-time Cisco ISR/ASA customer over to MX.  The customer is a C-Store chain that has an outside vendor monitor fuel tank guages and today they do it through 1:Many NATs through an ASA.  So if the vendor browses to [public IP]:[port # xyz041] the ASA performs the translation and routes the traffic over to the MPLS WAN router and on out to the store over MPLS and they reach store number 41's tank guage web UI. 

 

The question is - moving over to a MX VPN network, can I configure theses 1:Many NATs on a MX VPN hub (NAT mode, not one-armed) and refer to hosts available via AutoVPN?  If it's not supported it's not that big of deal as we are still going to use the ASA for a couple things; but if the MX will support it we'd rather do it that way.

 

I've configured a 1:Many NAT on a VPN hub and referred to a LAN IP that doesn't actually live as a physically connected network on the ASA... and Dashboard didn't object to the config.  I called support and I got a weak "this isn't supported" answer - weak in that the support agent didn't sound too terribly confident in that answer.  It was more like "if it doesn't work then we can't support it". 

 

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

This won't work alas. You can only NAT to a local LAN address.

Can you just give them client VPN access? A much better security storey since you are making a change (make a change for the better).

Guess it was wishful thinking - hoping the MX would be smart enough to know the destination was in the routing table via AutoVPN. Client VPN definitely is a possibility although I’m not sure our customer/their vendor will go for it. Thanks Philip!

Actually let me clarify one aspect. Will each site have its own MX and Internet connection - or do all sites have a default route back to a central MX?

I just had a further play this this.  I tried this on 13.28 code (I have not attempted this for quite some time).  The GUI now takes the config (of NATing to a remote AutoVPN destination), so that is a step forward.

 

HOWEVER, there are caveats.  When traffic flows in via a NAT the return traffic must flow back out the same place.  So if you were using AutoVPN, the remote site must route the return traffic back to the original MX - this would normally imply you would have to use AutoVPN with the default route option.  This would mean you can not use local Internet break out.

 

HOWEVER, if you had local Internet break out then out could always do NAT on each individual MX, saving you fro having to use 1:Many NAT at the head end.  Don't forget there is DDNS available to locate these.

I notice in the 13.28 release notes this change:

  • Added support for 1:M NAT over AutoVPN
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels