cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AutoVPN over 2 uplinks manual NAT

SOLVED
Highlighted
Head in the Cloud

AutoVPN over 2 uplinks manual NAT

Hi, silly little detail.

Say you have a site where the MX has a direct internet IP over WAN1 and another behind unfriendly NAT on WAN2.
WAN1 is the primary uplink but you do want to send/receive select traffic over WAN2.

You need to set the public IP and port of WAN2.
However you only have one public IP and port field.

GIdenJoe_0-1588359673494.png

Since both your pub IP's will obviously be different, how do you set this only for the non primary WAN so the primary WAN can still use it's public IP and own port.

And why does it only show the status of the primary WAN in the VPN status page?

GIdenJoe_1-1588359851912.png


Thanks in advance 🙂

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Meraki Employee
Meraki Employee

Re: AutoVPN over 2 uplinks manual NAT

Unfortunately, it is only possible to populate one public IP and port. When the manual NAT traversal is set, both WAN1 and WAN2 will use the same port. Just because it is set to manual the uplinks will still contact the VPN registry. The spokes will try all of the IP addresses it knows about. The manual IP, the private IP of the uplink, and IPs that it contacts the VPN registry with. 

 

So in this case, I would recommend putting in the IP of WAN2 as it's behind the unfriendly NAT. The spoke will learn about the WAN1 public IP address from the VPN registry connection. If possible, a port forward on the upstream NAT of WAN2 for the UDP port you choose will help the spokes create a tunnel to the MX. 

View solution in original post

2 REPLIES 2
Highlighted
Meraki Employee
Meraki Employee

Re: AutoVPN over 2 uplinks manual NAT

Unfortunately, it is only possible to populate one public IP and port. When the manual NAT traversal is set, both WAN1 and WAN2 will use the same port. Just because it is set to manual the uplinks will still contact the VPN registry. The spokes will try all of the IP addresses it knows about. The manual IP, the private IP of the uplink, and IPs that it contacts the VPN registry with. 

 

So in this case, I would recommend putting in the IP of WAN2 as it's behind the unfriendly NAT. The spoke will learn about the WAN1 public IP address from the VPN registry connection. If possible, a port forward on the upstream NAT of WAN2 for the UDP port you choose will help the spokes create a tunnel to the MX. 

View solution in original post

Highlighted
Head in the Cloud

Re: AutoVPN over 2 uplinks manual NAT

Ok, that makes sense.

So the reporting you see in dashboard also will only mention the best uplink's status.

So it will continue to show the WAN1 connection to multiple registries using public IP while the other uplink is behind NAT.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.