Meraki

Community

MX 1:Many NAT

Solved
allanmack
Conversationalist
‎Sep 27 2021 5:29 PM
‎Sep 27 2021 5:29 PM

MX 1:Many NAT

I was just on the phone with Meraki Support for a little while, attempting to activate a new customer on an MX100. However, Meraki Support told me 1:Many NAT doesn't actually NAT the outbound traffic and rewrites the packet to the WAN IP of the Meraki. Is the only usage for 1:Many NAT for inbound port forwarding?

0 Kudos
1 Accepted Solution
Josh-C
Meraki Employee
Meraki Employee
‎Sep 28 2021 6:38 AM
‎Sep 28 2021 6:38 AM

Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward.  Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule.  That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria.  LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.  

 

Consider the following: 

 

Host A <--WAN--> MX100 <-LAN--> Host B

MX WAN 1.1.1.1

MX 1:Many Public 1.1.1.2

 

If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 1.1.1.2 to Host B on port 22, an SSH session from outside to 1.1.1.2 would flow through to Host B as expected and return traffic for said session would be mapped to 1.1.1.2 on the outbound. 

 

That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 1.1.1.1 from the perspective of Host A. 

 

I hope this helps. 

View solution in original post

7 Replies 7
Owen
Getting noticed
‎Sep 27 2021 5:36 PM
‎Sep 27 2021 5:36 PM

Thats not totally correct. For regular flows originating from inside to outside the MX will only use the WAN interface address for source NAT.

 

The "Port forwarding" section uses the MX interface WAN address, the "1:Many" and "1:1 NAT" sections lets you specify an IP address to use for NAT. Return traffic for these sessions uses the correct address.

In response to Owen
allanmack
Conversationalist
‎Sep 27 2021 6:10 PM
‎Sep 27 2021 6:10 PM

Right, and that's how it works on any NAT device. However, two Meraki Support engineers told me otherwise and services did not function as expected. Unfortunately, I was unable to do a packet capture before having to revert to validate this.

0 Kudos
In response to allanmack
DarrenOC
Kind of a big deal
Kind of a big deal
‎Sep 27 2021 11:41 PM
‎Sep 27 2021 11:41 PM

Hi @allanmack see below

 

 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

Additional Considerations

When a 1:1 NAT rule is configured for a given LAN IP, that device's outbound traffic will be mapped to the public IP configured in the 1:1 NAT rule, rather than the primary WAN IP of the MX. Exceptions may occur when the MX is running some content filtering features that involve its web proxy. In this circumstance, outbound web traffic initiated by the 1:1 NAT LAN device will use the primary uplink as normal.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
allanmack
Conversationalist
‎Sep 28 2021 4:23 AM
‎Sep 28 2021 4:23 AM

Yeah, I'm not talking about 1:1 NAT. Just specifically 1:Many NAT.

0 Kudos
In response to allanmack
Inderdeep
Kind of a big deal
Kind of a big deal
‎Sep 28 2021 6:25 AM
‎Sep 28 2021 6:25 AM

@allanmack : Check these for 1:Many NAT

https://meraki.cisco.com/blog/2014/08/1many-nat-for-meraki-mx/

Inderdeep_0-1632835548604.png

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
Josh-C
Meraki Employee
Meraki Employee
‎Sep 28 2021 6:38 AM
‎Sep 28 2021 6:38 AM

Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward.  Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule.  That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria.  LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.  

 

Consider the following: 

 

Host A <--WAN--> MX100 <-LAN--> Host B

MX WAN 1.1.1.1

MX 1:Many Public 1.1.1.2

 

If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 1.1.1.2 to Host B on port 22, an SSH session from outside to 1.1.1.2 would flow through to Host B as expected and return traffic for said session would be mapped to 1.1.1.2 on the outbound. 

 

That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 1.1.1.1 from the perspective of Host A. 

 

I hope this helps. 

In response to Josh-C
allanmack
Conversationalist
‎Sep 28 2021 6:01 PM
‎Sep 28 2021 6:01 PM

Thank you, this is exactly what we were experiencing. The MX record is associated with the 1:Many NAT and the O365 server on the outside is expecting to only receive from that IP, so it denies anything from the WAN IP of the Merak. I confirmed this from the headers in the email that was being sent as the source was the WAN IP of the Meraki. Thank you for the information.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.