Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A question about NAT

RyanMiller
New here
‎Nov 3 2020 1:53 PM
‎Nov 3 2020 1:53 PM

A question about NAT

Hi,

 

I have discovered that the 1:many meraki NAT implementation will always send outgoing traffic on the primary public IP instead of the IP assigned to the 1:many NAT rule.

 

I have spend hours on trying to find out why I am not able to use these two NAT services:

 

1. Zoom meeting connector which should be possible to configured using 1:many NAT unfortunately not on meraki MX-100 device:

 

https://support.zoom.us/hc/en-us/articles/204898919-Configure-Meeting-Connector-Controller-Port-Forw...

 

The solution to this is not to use 1:many NAT rule and use 1:1 NAT unfortunately this will require two public IPs or more if you add other zoom on-premise services.

 

2. barracuda spam firewall and exchange server.

 

I decided to offload some traffic from the barracuda firewall for traffic which is not related to SPAM checking and use the build in 1:many NAT instead of 1:1 on the MX-100.

 

This resulted in outbound email be send using the primary IP instead of the assigned 1:many NAT This will result in SPF verification to fail and outgoing email be rejected from outside servers. Had to revert back to 1:1 NAT and deal with occasional overload on barracuda firewall due to web traffic. Maybe this post will save someone else time.

I am not looking for solution. The only solution which would work for me if meraki 1:many NAT would work as I expect it and would keep the assigned traffic to use the public IP I assigned it to.

 

Best regards.

 

0 Kudos
Subscribe
2 Replies 2
Bruce
Kind of a big deal
‎Nov 3 2020 2:17 PM
‎Nov 3 2020 2:17 PM

@RyanMiller I agree with you that if you are doing 1:many NAT and NATing a port on a specific IP address to an internal IP address for device, then when that device's internal IP address responds from that port it should be NATed back to the IP address that is defined in the 1:many. That seems like it would be the logical behaviour and I would raise this with Meraki support (it may be a bug) - if you already have I'd love to know their response. (The 1:many NAT documentation make no mention of the behaviour of the return traffic).

 

In your Zoom scenario - I just glanced through the Zoom document - why can't you use the Port Forwarding capability of the MX using its primary IP address instead of the 1:many? Is it just a preference not to, or am I not understanding something in your environment.

0 Kudos
Subscribe
cmr
Kind of a big deal
Kind of a big deal
‎Nov 3 2020 2:19 PM
‎Nov 3 2020 2:19 PM

@RyanMiller unfortunately MXs do not currently support PAT or 1:many NAT for outbound traffic.

 

You have NAT on the interface IP or 1:1 NAT.

 

I'm sure it will come, but I don't believe it is a timetabled roadmap item.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.