Advice for dealing with 3rd party Site to Sites

Daniel24
Here to help

Advice for dealing with 3rd party Site to Sites

So, I had some information not identified to me correctly on the limitations of NAT/Address Translation with the MX Appliances. I had a basic Site to Site connection I had to build with a 3rd party to access their web application with LDAP credentials. Working with Meraki support it took 3 months to resolve because of Address Translation issues. Essentially 3rd party couldn't use the IP Subnet range I was advertising to them. Eventually this was resolved by enabling an experimental feature for IPv4 translation within Security & SD-WAN > Site to Site VPN and setting the subnet that has that specific LDAP server on it to have a different IP Range (example local 10.1.1.0/24 to 192.168.30.0/24). 

 

But here is where things become tricky that was one 3rd party Site to Site connection. I have at least 6 more that don't use Meraki gear. They may have Cisco ASA's, Fortinet, Sonicwall etc and since the only NAT I can do is once per subnet I have to align with all my 3rd parties that may be sharing IP space in the same VLAN to all use the same NAT IP Range. So example would be 3rd party vendor 2 accesses 10.1.1.5 and 3rd party vendor 3 accesses 10.1.1.10 but they both use NAT as they cannot use the standard subnet I am advertising. So instead then building a NAT per Site to Site I have to essentially work with both 3rd parties at the same time and PRAY I find a subnet that they can both use so I can assign that as the translation subnet in VPN settings. 


I've checked with other network engineers and solution architects at other IT Firms, and this is for sure a limitation that they all have ran into. I'm just at this point trying to figure out how I move forward, how to work around this and if anyone has done anything different in similar predicament and how to overcome it. 

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

One suggestion that I believe could work is to use a machine within your network to close these VPN tunnels and not directly on the MX, it could be a Linux or even a router, then it's just a matter of routing.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

I agree with @alemabrahao , one that support nat.

another benefit is that your mx firewall  rules work .

Daniel24
Here to help

I haven't had much dealings with Linux short of running a couple different OS's for apps. Is there some Linux platform you are aware of that could accommodate this? 

PhilipDAth
Kind of a big deal
Kind of a big deal

StrongSwan on Ubuntu - but this would be a big ask for someone without Linux experience to configure.

PhilipDAth
Kind of a big deal
Kind of a big deal

If this is a web app - can you use a simple proxy server and route all web browsing requests for this specific app via that?  You may be able to get rid of NAT completely.

Daniel24
Here to help

Unfortunately all these 3rd party sites have a mixture of web applications and physical hardware to connect to or send data out on behalf of that partner. 

Daniel24
Here to help

Any thoughts on utilizing a Cicso Firepower 1010 or 1120 model to handle only these tunnels then leave the MX do to the rest of the firewall, routing, and URL filtering? Is that a possibility?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels