GRE traffic over MX

SOLVED
GianPaolo
Here to help

GRE traffic over MX

Hello all,

a client asked about creating GRE tunnel over a Meraki MX, with 1:1 NAT.

 

The MX would not be terminating the tunnel, just forwarding GRE traffic with SNAT to a specific public IP.

 

Anyone knows if it is supported / did it in production?

 

Thank you.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

This usually does not work (nothing to do with MX, NAT breaks it GRE in general).  This is because each end of a GRE tunnel configures the source and destination address, which must match.  Because of NAT, that can not happen.

 

To make it work, you have to get rid of NAT.  The common solution is to create an IPSec tunnel between the two devices running NAT (the MX and the remote firewall in this case), and then run GRE over that between the two GRE endpoints.

View solution in original post

4 REPLIES 4
alemabrahao
Kind of a big deal

MX doesn't support GRE. I had a project that it's was required and we had to use a Fortigate in the middle.

Thank you for the answer.

 

I don't need MX to "support GRE", meaning to be a tunnel endpoint. My question is if the MX will forward GRE traffic, and apply SNAT to it, or it will somehow prevent the GRE tunnel to work.

I got it, you need ask the Meraki product team to enable the SNAT feature on your dashboard. So I think it should have to work.

PhilipDAth
Kind of a big deal

This usually does not work (nothing to do with MX, NAT breaks it GRE in general).  This is because each end of a GRE tunnel configures the source and destination address, which must match.  Because of NAT, that can not happen.

 

To make it work, you have to get rid of NAT.  The common solution is to create an IPSec tunnel between the two devices running NAT (the MX and the remote firewall in this case), and then run GRE over that between the two GRE endpoints.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels