MX is dumping ESP packets

General-Zod
Getting noticed

MX is dumping ESP packets

Greetings,

 

is it just me or don’t mx’s support esp packets when doing 1-1 Nat? I can see the esp packet arrive on the external interface of the mx but I don’t see it egress the lan interface which faces the actual IPSec termination device (checkpoint). 

 

the mx has a /28 public block and I have allocated a unique ip for the 1-1 Nat. I have requested that the administrator of the checkpoint enables Nat-t, hopefully that will fix the problem.

 

previously, pre Meraki mx a CISCO router or ASA (whichever Telstra MiG uses) was performing the 1-1 Nat and all was well.

 

This is one of those networks that we have inherited with multiple admins and 3rd parties who are OS and have their own security posture to boot. It’s certainly overly complex and sometimes you just ask yourself why!!??

 

is there a mx firmware update (beta) that might help me with my esp problem so I don’t have to rely on the 3rd party to make any changes?

 

many thanks

 

 

1 REPLY 1
Owen
Getting noticed

Its not the MX. It is that ESP doesn't support NAT. For IPSec NAT traversal ESP packets get encapsulated inside a UDP packet. You need to enable or use NAT traversal on the far end device if you need to NAT it on the MX.

 

https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels