Meraki Community

AY2022

Would like to understand the traffic flow priority here.

Say that I have a spoke site connecting to a hub with full tunnel auto vpn setup.

And one of the LAN vlan e.g. vlan x is enabled for VPN.

Am I still able to use the 1:1 NAT to point to an IP inside the VLAN X thru the spoke site's WAN 1?

Or it will not work, as all the traffic for that VLAN is being tunneled out thru the VPN out to the hub?

Arigato.

Tony-Sydney-AU

Hi @AY2022 ,

That's an interesting question from an interesting design. 🙂

I understand your remote user will connect to 1:1 NAT Public IP in a HUB MX but 1:1 NAT translates the user connection request to a server behind a Spoke MX. Please, correct me if I'm wrong.

If I'm correct, then your design works. However, there are three problems:

Your remote user connecting to 1:1NAT Public IP will experience slowness because the server is behind a VPN
Your remote user won't be able to connect if the VPN goes down
Remote user may have problems with some applications because the server behind the Spoke MX will have a lower MTU (remember the packets will be encrypted by VPN therefore, there is less space for user data).

In summary, this design is not the best but you have two alternatives:

Move your server to the HUB MX Local VLAN
Configure 1:1NAT on the Spoke MX and disable IPv4 default route in Site-to-Site VPN settings

You can also use Port Forwarding on the Spoke MX if you don't have a Public IP - just don't forget to disable IPv4 default route. Disabling IPv4 default route on the Spoke will fix the routing asymmetry problem.

I'm adding a network diagram below to give you a better idea of the network flows.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Meraki Community

Full Site to Site VPN vs 1:1 NAT

Full Site to Site VPN vs 1:1 NAT