Meraki

Community

Full Site to Site VPN vs 1:1 NAT

AY2022
Getting noticed
‎Aug 15 2024 8:27 PM
‎Aug 15 2024 8:27 PM

Full Site to Site VPN vs 1:1 NAT

Would like to understand the traffic flow priority here. 

 

Say that I have a spoke site connecting to a hub with full tunnel auto vpn setup. 

And one of the LAN vlan e.g. vlan x is enabled for VPN. 

 

Am I still able to use the 1:1 NAT to point to an IP inside the VLAN X thru the spoke site's WAN 1? 

Or it will not work, as all the traffic for that VLAN is being tunneled out thru the VPN out to the hub? 

 

Arigato.

4 Replies 4
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Aug 15 2024 10:34 PM
‎Aug 15 2024 10:34 PM

Hi @AY2022 ,

 

That's an interesting question from an interesting design. 🙂

 

I understand your remote user will connect to 1:1 NAT Public IP in a HUB MX but 1:1 NAT translates the user connection request to a server behind a Spoke MX. Please, correct me if I'm wrong.

 

If I'm correct, then your design works. However, there are three problems:

  1. Your remote user connecting to 1:1NAT Public IP will experience slowness because the server is behind a VPN
  2. Your remote user won't be able to connect if the VPN goes down
  3. Remote user may have problems with some applications because the server behind the Spoke MX will have a lower MTU (remember the packets will be encrypted by VPN therefore, there is less space for user data).

 

In summary, this design is not the best but you have two alternatives:

  1. Move your server to the HUB MX Local VLAN
  2. Configure 1:1NAT on the Spoke MX and disable IPv4 default route in Site-to-Site VPN settings

You can also use Port Forwarding on the Spoke MX if you don't have a Public IP - just don't forget to disable IPv4 default route. Disabling IPv4 default route on the Spoke will fix the routing asymmetry problem.

 

I'm adding a network diagram below to give you a better idea of the network flows.

1to1_NAT_and_AVPN.png

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Tony-Sydney-AU
AY2022
Getting noticed
‎Aug 20 2024 7:04 PM
‎Aug 20 2024 7:04 PM

Hi Tony, 

Thanks for the reply. 

Based on your drawing, I'm trying to see whether its possible to publish a server in the vlan 20 via MX2 using the 1:1Nat. I understand that by doing default route under site to site VPN, everything goes out via MX1. Hence, wondering whether the 1:1NAT policy supersede the default route policy and allow the incoming traffic from web to that server in vlan20 and then have it egress back out via the MX2 WAN. 

 

I'm wondering, if Meraki has this feature that allows local internet breakout by source rather than destination, would it works? 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 19 2024 4:56 AM
‎Aug 19 2024 4:56 AM

It wont work.

In response to PhilipDAth
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Aug 19 2024 4:41 PM
‎Aug 19 2024 4:41 PM

Correctomundo! 😄 Thanks for correcting me, @PhilipDAth !

 

My apologies, @AY2022 and Community members.

 

MX doesn't allow you to configure NAT1:1, NAT1:many, Port Forward when the LAN server does not live in a local subnet. If you try, you would the the error below:

Screenshot 2024-08-20 at 09.23.19.png

I'm glad Mx does not allow configuring a NAT or Port Forwarding Rule when the Server is not in a local subnet. This completely prevents the problems I talked about earlier:

 

  1. Your remote user connecting to 1:1NAT Public IP will experience slowness because the server is behind a VPN
  2. Your remote user won't be able to connect if the VPN goes down
  3. Remote user may have problems with some applications because the server behind the Spoke MX will have a lower MTU (remember the packets will be encrypted by VPN therefore, there is less space for user data).
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.