Meraki

StarBlink · ‎Jun 1 2023

I need to do a destination NAT on the MX to avoid routing issues across VPN/Azure.

Is this possible on the MX85?

Currently only 1:1 NAT and 1:Many NAT is available and they are both source NAT from inside.

What I'm trying to do:

1. Packet arrives from internal LAN at MX

2. Gets NAT'd

Original: Source IP-A > Dest IP-Z

NAT :Source IP-A > Dest IP-Y

3. Passes across VPN to Azure

GreenMan · ‎Jun 1 2023

Would this do the trick? https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

Note that this would apply to all hosts within the configured VLAN. I guess, if this is important enough and you wanted it just for a handful of devices, you'd move those to a dedicated 'translation VLAN'

StarBlink · ‎Jun 1 2023

Thanks, this one is very useful to know about but not right for this as the remote device needs to see a certain destination IP in order to route and then remote side will NAT again to the original dest IP in a different system all together. Like double NATing. So definitely need a destination NAT feature.

GreenMan · ‎Jun 1 2023

Yeah sorry - I know subnet translation is the only production feature that's anything like what you're asking for so linked it quickly, before reading about your need to also NAT the destination addr. Pretty sure this isn't going to be possible with MX.

PhilipDAth · ‎Jun 1 2023

I have seen this done using a VMX in Azure (and this is a hard requirement). You then use the source NAT transition that @GreenMan talked about on the Azure VMX.

Remote spokes then see the new NATed subnet to talk to.

Meraki

Community

MX device Destination NAT

MX device Destination NAT