Meraki

jjbehrend · ‎Mar 27 2020

We need to send traffic over a vpn connection from instances in an aws subnet, but due to an addressing conflict they need to come from a different source IP (we need to either nat or "spoof" an IP address). Since we couldn't find a way to NAT the traffic on the VMX, we tried to set the source IP on the linux box originating the traffic using ip route src. This works between AWS instances, however, for some reason, the VMX doesn't seem to 'see' the traffic (it doesn't even show up on packet capture). Can you help us resolve this?

We need from an instance that we have EC2 in AWS whose IP is 10.111.88.241 it can make IP spoofing and Meraki can receive it.Our Meraki VMX100 is located at IP 10.111.88.43.

We unlocked the IP spoofing block parameter for logging only, but still failed to get traffic to be seen in Meraki's Packet Capture.

Questions:1. What is needed to enable traffic to reach Meraki from a spoofed IP, in our case:
Original IP: 10.111.88.241
IP spoofing:172.17.10.153
2. Can we perform NAT changing the origin according to the destination in Meraki?

jdsilva · ‎Mar 27 2020

Did you look at this feature:

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

That might do what you want?

http://blog.brokennetwork.ca |

@jdsilva

PhilipDAth · ‎Mar 27 2020

@jdsilva has the simplest solution.

I'd done something similar once and it did my head in. I think I used a pair of VPCs. I used an Ubuntu box with two NICs connecting them together (one NIC in each VPC). The Ubuntu box did the NAT as traffic went from one VPC to the other, changing between address spaces.

Meraki

Community

AWS VMX100 IP spoofing

AWS VMX100 IP spoofing