MX Template NAT Traversal

DCoutinho
Conversationalist

MX Template NAT Traversal

Hello,

 

I have multiple MX sites under same template, due to automatic NAT-T not working with upstream firewall - we use Manual NAT-T. However, this option is not present/overridable in each network. This is only configurable in template option and applys to every device within it.

 

If multiple MXs will share the same IP:port NAT-T configuration (Centralized Internet Access), how will Meraki dashboard contact them ?

 

Best Regards,

Diogo

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

I can't see this working ...

Bruce
Kind of a big deal

It can’t - each MX needs to have a unique IP address:port combination. This is the same as any device/application on the internet, either the IP address or port (or both) needs to change to make it uniquely identifiable.

 

If you have a centralised upstream firewall doing PAT (port address translation - i.e. mapping all sources to one IP address and hanging the port number) then it needs to use a different port number for each MX. By default each MX will use a dynamic port number as it’s source to contact the VPN registry so even behind another firewall it should work. Even if the upstream firewall re-maps the source port as long as it keeps the mapping the same for all connections to the VPN registries it should work.

 

What AutoVPN errors are you getting when you try using the standard, automatic NAT-T configuration? You’ll need to work out what the exact issue is to get it working, and this may mean you have to create static port mappings on the centralised firewall to get it working. Have a look through this document and see if it helps, https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo....

DCoutinho
Conversationalist

Yeah, I agree same IP:port is not possible,but Meraki dashboard simply (as far as my knowledge goes) does not provide the choice to change port for each network within a template. I guess I will make a wish to the dev team.

 

When NAT-T is auto we cannot form autoVPN tunnels - the vpn status page shows VPN Registry is not reachable and NAT type is unfriendly.

 

This is probably surpassed with on the fly NAT rules adjustment on upstream firewall, as different MXs will source with different ports. But it is not ideal as we are migrating sites with a short MW and the goal of the manual NAT-T is to avoid this...

 

Best Regards,

Diogo

Bruce
Kind of a big deal

If you've got VPN Registry is not reachable then you'll need to fix that first, and then deal with the 'unfriendly' NAT. VPN Registry unreachable means AutoVPN will never work. The MX devices must be able to contact their VPN registries on UDP 9350 or UDP 9351, the IP address is given under Help -> Firewall Info on the Dashboard (the information there is dynamically generated as its potentially different for every organisation).

 

You'll need to allow traffic out through the firewall to the VPN Registries and allow the return traffic too (if the firewall doesn't automatically allow the return traffic). That traffic comes from a dynamic source UDP port on the MX, the same one that is ultimately used to establish the connection between the two MXs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels