MX250 One Armed Concentrator behind Dual ISP - Manual Port Forwarding NAT Traversal

Luggage
Comes here often

MX250 One Armed Concentrator behind Dual ISP - Manual Port Forwarding NAT Traversal

We are planning to deploy ISP redundancy (currently single ISP... ISP X... with multiple uplinks via our Firewall) and need MX Concentrator traffic to failover between ISPs upon failure of ISP X

 

We are not using our own public IPv4 allocation (expensive) and thus relying on ISP allocated prefixes on both links.

 

We had/have issues with unhealthy NAT via our Firewalls, largely relating to tunnels failing to re-establish cleanly after failover.

 

Manual NAT config has prevented this issue from happening since implemented. How are we able to deploy a dual ISP solution in this manner while still retaining Manual NAT Config, one for each ISP Address used? Do we need our own /24 public address allocation to use this or to somehow fix our unclean NAT issue?

If we were able to set a separate Manual Port Forwarding NAT Traversal Config on the Warm Standby MX, that may help, or a Dual WAN (Dual VIP + Dual Manual Port Forwarding NAT Traversal config, that could work.

In the Attached Diag, ISP Y is the service we need to be able to failover to.

 

Has anyone done this without Auto NAT Traversal and their own portable public IPv4 prefix?

 

 

meraki-concentrator-dual-isp.PNG

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal

With NAT traversal, it is highly recommended that the VPN hub receive a static IP address.
 
So I believe that leaving it manually won't work. Why don't you leave it automatically?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

alemabrahao_0-1719395795195.png

VPN Concentrator Deployment Guide - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Luggage
Comes here often

So the VPN Hub has a static IP (VIP) and there will be NAT (SNAT/DNAT) to/from the VIP via a public IP from ISP X.

I figure I will need to resolve the unfriendly NAT situation upstream with the static SNAT/DNAT so that works.

May have figured this out myself - I will try creating two SNAT/DNAT rules upstream (Mapping to the MX VIP) one for ISP A and one for ISP B, with the outside interface specified per ISP, so that when the route fails over to ISP B, SNAT rule for ISP B will be followed. I just need to make sure I can resolve unfriendly NAT so I don't need to use Manual NAT traversal.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels