Meraki

Community

MX100 Nat Traffic for Site-to-Site VPN - Newbie Question

Solved
Toytek
Conversationalist
‎Feb 21 2023 3:01 PM
‎Feb 21 2023 3:01 PM

MX100 Nat Traffic for Site-to-Site VPN - Newbie Question

Hi!

I'm trying to move an older set of manual routes and VPN from a super old Cisco ASA to a Meraki MX100.
The Site-to-Site VPN works fine but for security purposes it's being requested that I NAT our traffic that is accessing this specific traffic.
I know within a Sophos XG135 I can simply check a box and provide the public IP we would use then what we want it converted to. However, on the MX100 I am seeing the 1:1 and 1:Many options within the Firewall settings.

I'm having a bit of an issue seeing how I'd map out the ruling for this situation.
Would "Public IP" be the IP I want to use for this traffic or the external IP for this tunnel?

Also is "LAN IP" here what's being used for the tunnel?
Should I be using 1:Many - Public is the external IP used on the tunnel and LAN would be internal subnets that I want to access this route correct?

I apologize if this seems like a dumb question, I would just like to wrap my head around it since it's a tad different from how I usually set this up.

Cheers!

Labels:
0 Kudos
1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee
‎Feb 22 2023 10:09 AM
‎Feb 22 2023 10:09 AM

VPN translation does seem the way to go, as has already been suggested - but I'm not at all sure that, on its own, that is serving any great 'security purpose' - just adding complication.   You're much more likely to enhance the security of such a solution by limiting the access across the VPN (but leaving the addressing native).   Firstly by choosing carefully which VLANs on the Spoke MX are 'VPN enabled', secondly by considering the application of VPN firewall rules:  https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#VPN_Firewall_Rules     https://documen'tation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior  

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 21 2023 3:08 PM
‎Feb 21 2023 3:08 PM

You need to ask for Meraki support to enable Nat over VPN for you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 21 2023 3:17 PM
‎Feb 21 2023 3:17 PM

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee
‎Feb 22 2023 10:09 AM
‎Feb 22 2023 10:09 AM

VPN translation does seem the way to go, as has already been suggested - but I'm not at all sure that, on its own, that is serving any great 'security purpose' - just adding complication.   You're much more likely to enhance the security of such a solution by limiting the access across the VPN (but leaving the addressing native).   Firstly by choosing carefully which VLANs on the Spoke MX are 'VPN enabled', secondly by considering the application of VPN firewall rules:  https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#VPN_Firewall_Rules     https://documen'tation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior  

In response to GreenMan
Toytek
Conversationalist
‎Feb 22 2023 11:56 AM
‎Feb 22 2023 11:56 AM

Unfortunately the NAT limitation is being forced by the other end of the site-to-site VPN. I put in a ticket and got the function enabled, but was informed that since the other end is a Palo Alto Firewall the Meraki system doesn't support it.
I'm currently looking for a workaround but may have to use another firewall for this specific tunnel.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.