MX 1:Many NAT

Solved
allanmack
Conversationalist

MX 1:Many NAT

I was just on the phone with Meraki Support for a little while, attempting to activate a new customer on an MX100. However, Meraki Support told me 1:Many NAT doesn't actually NAT the outbound traffic and rewrites the packet to the WAN IP of the Meraki. Is the only usage for 1:Many NAT for inbound port forwarding?

1 Accepted Solution
Josh-C
Meraki Employee
Meraki Employee

Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward.  Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule.  That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria.  LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.  

 

Consider the following: 

 

Host A <--WAN--> MX100 <-LAN--> Host B

MX WAN 1.1.1.1

MX 1:Many Public 1.1.1.2

 

If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 1.1.1.2 to Host B on port 22, an SSH session from outside to 1.1.1.2 would flow through to Host B as expected and return traffic for said session would be mapped to 1.1.1.2 on the outbound. 

 

That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 1.1.1.1 from the perspective of Host A. 

 

I hope this helps. 

View solution in original post

7 Replies 7
Owen
Getting noticed

Thats not totally correct. For regular flows originating from inside to outside the MX will only use the WAN interface address for source NAT.

 

The "Port forwarding" section uses the MX interface WAN address, the "1:Many" and "1:1 NAT" sections lets you specify an IP address to use for NAT. Return traffic for these sessions uses the correct address.

allanmack
Conversationalist

Right, and that's how it works on any NAT device. However, two Meraki Support engineers told me otherwise and services did not function as expected. Unfortunately, I was unable to do a packet capture before having to revert to validate this.

DarrenOC
Kind of a big deal
Kind of a big deal

Hi @allanmack see below

 

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

Additional Considerations

When a 1:1 NAT rule is configured for a given LAN IP, that device's outbound traffic will be mapped to the public IP configured in the 1:1 NAT rule, rather than the primary WAN IP of the MX. Exceptions may occur when the MX is running some content filtering features that involve its web proxy. In this circumstance, outbound web traffic initiated by the 1:1 NAT LAN device will use the primary uplink as normal.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Yeah, I'm not talking about 1:1 NAT. Just specifically 1:Many NAT.

Inderdeep
Kind of a big deal
Kind of a big deal

@allanmack : Check these for 1:Many NAT

https://meraki.cisco.com/blog/2014/08/1many-nat-for-meraki-mx/

Inderdeep_0-1632835548604.png

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Josh-C
Meraki Employee
Meraki Employee

Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward.  Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule.  That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria.  LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.  

 

Consider the following: 

 

Host A <--WAN--> MX100 <-LAN--> Host B

MX WAN 1.1.1.1

MX 1:Many Public 1.1.1.2

 

If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 1.1.1.2 to Host B on port 22, an SSH session from outside to 1.1.1.2 would flow through to Host B as expected and return traffic for said session would be mapped to 1.1.1.2 on the outbound. 

 

That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 1.1.1.1 from the perspective of Host A. 

 

I hope this helps. 

allanmack
Conversationalist

Thank you, this is exactly what we were experiencing. The MX record is associated with the 1:Many NAT and the O365 server on the outside is expecting to only receive from that IP, so it denies anything from the WAN IP of the Merak. I confirmed this from the headers in the email that was being sent as the source was the WAN IP of the Meraki. Thank you for the information.

Get notified when there are additional replies to this discussion.