Meraki

Community

AutoVPN over 2 uplinks manual NAT

Solved
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 1 2020 12:04 PM
‎May 1 2020 12:04 PM

AutoVPN over 2 uplinks manual NAT

Hi, silly little detail.

Say you have a site where the MX has a direct internet IP over WAN1 and another behind unfriendly NAT on WAN2.
WAN1 is the primary uplink but you do want to send/receive select traffic over WAN2.

You need to set the public IP and port of WAN2.
However you only have one public IP and port field.

GIdenJoe_0-1588359673494.png

Since both your pub IP's will obviously be different, how do you set this only for the non primary WAN so the primary WAN can still use it's public IP and own port.

And why does it only show the status of the primary WAN in the VPN status page?

GIdenJoe_1-1588359851912.png


Thanks in advance 🙂

0 Kudos
1 Accepted Solution
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎May 1 2020 3:26 PM
‎May 1 2020 3:26 PM

Unfortunately, it is only possible to populate one public IP and port. When the manual NAT traversal is set, both WAN1 and WAN2 will use the same port. Just because it is set to manual the uplinks will still contact the VPN registry. The spokes will try all of the IP addresses it knows about. The manual IP, the private IP of the uplink, and IPs that it contacts the VPN registry with. 

 

So in this case, I would recommend putting in the IP of WAN2 as it's behind the unfriendly NAT. The spoke will learn about the WAN1 public IP address from the VPN registry connection. If possible, a port forward on the upstream NAT of WAN2 for the UDP port you choose will help the spokes create a tunnel to the MX. 

View solution in original post

3 Replies 3
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎May 1 2020 3:26 PM
‎May 1 2020 3:26 PM

Unfortunately, it is only possible to populate one public IP and port. When the manual NAT traversal is set, both WAN1 and WAN2 will use the same port. Just because it is set to manual the uplinks will still contact the VPN registry. The spokes will try all of the IP addresses it knows about. The manual IP, the private IP of the uplink, and IPs that it contacts the VPN registry with. 

 

So in this case, I would recommend putting in the IP of WAN2 as it's behind the unfriendly NAT. The spoke will learn about the WAN1 public IP address from the VPN registry connection. If possible, a port forward on the upstream NAT of WAN2 for the UDP port you choose will help the spokes create a tunnel to the MX. 

In response to CN
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 2 2020 6:11 AM
‎May 2 2020 6:11 AM

Ok, that makes sense.

So the reporting you see in dashboard also will only mention the best uplink's status.

So it will continue to show the WAN1 connection to multiple registries using public IP while the other uplink is behind NAT.

0 Kudos
In response to CN
iores
Comes here often
‎Nov 18 2023 4:37 AM
‎Nov 18 2023 4:37 AM

@CN If you change to manual NAT and enter public IP and port, what will happen if the MX device switces to secondary uplink with different public IP address?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.