Double NAT'ing issues

Gareth_Parry
Here to help

Double NAT'ing issues

Hi,

 

I have a MX65 sat behind a BT Router and wanted to create a static Tunnel to a gateway in Azure. I had an issue with double NAT'ing, so ended up setting the BT router to bridge mode. This all worked fine.

 

i have now moved to BT with Hybrid connect, but have just been informed that the hybrid connect does not work with Bridge mode. (and bridge mode is not supported on the smart hub 3)

 

are there any other option to make this work, but keep the hybrid connect as a backup?

 

thanks

 

Gareth

 

 

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

It seems you’re facing a common issue with BT Hybrid Connect and Bridge Mode. As you’ve mentioned, the BT Hybrid Connect does not work when the BT router is in Bridge Mode. This is because in Bridge Mode, the router functions as a modem only, which is not compatible with the Hybrid Connect device.

 

 

If possible, you could consider using a different router that supports both Bridge Mode and Hybrid Connect. This would likely involve additional costs and setup.

 

Another option could be to use the Hybrid Connect as a Wi-Fi extender. This would allow you to maintain your current network setup while still benefiting from the Hybrid Connect’s ability to provide a backup connection.

 

If the issue is related to signal strength, you could consider attaching additional antennas to the Hybrid Connect device3. This could potentially improve the 4G signal and provide a more reliable backup connection.

 

If the issue is related to double NAT’ing, you could consider configuring NAT (Network Address Translation) on your Azure VPN Gateway4. This could potentially allow you to connect networks with overlapping IP address ranges.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal

Does hybrid connect router mode support port forwarding or DMZ host?  If so you could at least forward UDP/500 + 4500 to the IP of the MX (or vIP if you have an HA pair).  If the Azure gateway does not support customizing the remote IKE-ID you will have to set the local IKE ID on your Meraki VPN (using IKEv2) to your public IP.

PhilipDAth
Kind of a big deal
Kind of a big deal

How do you feel about keeping your life simple and pain-free?  Putting a VMX-S into Azure will solve the issue ...

https://meraki.cisco.com/product/hybrid-cloud/vmx/vmx-small/ 

Gareth_Parry
Here to help

hi

 

The VMX-s solution sounds interesting. 

 

Can you confirm my understanding:

 

It will install a virtual MX device onto the Azure network, which will appear in my meraki dashboard. I then set up VPN from my physical MX devices (networks) to the virtual one. once complete then all networks will be able to access all resources at the other networks and Azure (i have a VM with SQL server on it that i want all sites to access)?

 

can i then use a client VPN on a Laptop to connect to the VMX in azure and then have access to a resource at one of the other sites. i.e. i can connect to the VMX in azure and then connect to the CCTV Appliance, VIA IP address, at one of the other networks?

 

thanks

 

Gareth

PhilipDAth
Kind of a big deal
Kind of a big deal

>once complete then all networks will be able to access all resources at the other networks and Azure 

 

Correct.

 

>can i then use a client VPN on a Laptop to connect to the VMX in azure

 

As long as you deploy it and select no availability zone, and also set it to be in VPN concentrator mode (prior to deploying it).  You have to use split tunneling (as Azure does not allow full tunnel client VPN mode).  Because of this, I recommend you use AnyConnect, which makes doing this easy.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

Gareth_Parry
Here to help

HI,

 

I have set up the VMX in Azure and all has gone quite well. I can reach each of our depots from the VMX.

 

I have then set up a Client VPN using windows VPN client on my laptop. i set it to connect to the VMX network, and set it to split tunneling.

 

this connects fine.

 

i then want to access another device on another Meraki network from my laptop. i was expecting the traffic to go from my laptop, to the VMX, to the other network and then to the device. this doesnt seem to work.

 

have i done something wrong here?

 

thanks

 

Gareth

PhilipDAth
Kind of a big deal
Kind of a big deal

The other Meraki network - was that included in the split tunnel list for the VPN client that you configured?

Gareth_Parry
Here to help

HI,

 

all i did was go into network connections from the windows control panel, then the properties of the VPN conenction to the VMX, then networking tab, properties on the IP4 entry, advanced button and unticked 'Use default gateway on remote network'

 

im guessing there is more to it than this?

 

thanks

 

Gareth

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes.  You have to add static routes via the client VPN connection.

 

A while ago I wrote a wizard that creates a PowerShell script for creating the Windows client VPN connection with all the options set.  Perhaps give that a go.
https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

Gareth_Parry
Here to help

Hi,

 

I finally purchased some Anyconnect licenses. in the VMX netork i set up the anyconnect settings under client VPN.

i set the client routing option to the destinations i want to send traffic through VPN on (one of which is the same range as the VMX and a server i want to be able to reach)

i can connect the VPN. I see in the anyconnect client on my laptop that the routes i entered are shown, but i cant seem to reach anything.

am i missing something?

 

thanks

 

gareth

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels