Meraki

zoee

Hello,

In a HUB and SPOKE design, where the HUB is configured with 2 MX'es, Routed MX is connected to the Internet and does firewall/nat.
The second MX OAC is connected to the LAN port of the MX, doesn't matter what port. What matters is that they function together as a Layer 2 Bridge, oac being the VPN Concentrator.
The OAC has a public ip on the physical port of 11.11.11.11 and both routed and oac device share the same public ip address 22.22.22.22.
There are also 2 port forwarding rules for udp and tcp having the same Public/Local ports(43060) that are configured on the Routed MX towards the physical ip address of the OAC 11.11.11.11, so if nat occurs, the port should not change dynamically.

Whatever comes from the LAN HUB to the Routed MX, or local breakout, it will be natted.
Whatever comes from the Internet and is not destined to the OAC, it will be natted.

As we know, the AutoVPN traffic, first arrives at the Routed MX and after it will be sent to oac for decryption and vice versa

Is the routed mx in the HUB doing NAT when it receives the encrypted traffic from the spoke devices before sending it through the OAC device? Or it will just simply forward the encrypted traffic without doing NAT in my case?

1.Why yes? Walk me through the process
2.Why not? Walk me through the process

Is the routed mx doing NAT when it receives encrypted AutoVPN traffic from the OAC before sending it to the spokes? Or it will just simply forward the the encrypted traffic to the spokes without doing NAT in my case?

1.Why yes? Walk me through the process
2.Why not? Walk me through the process

ww

Subnets routed/communicating using the vpn routes are not using any nat/pat. There is no need for any nat inside the tunnel as long as every branch uses unique subnets

You could use translation but thats not the default. https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

alemabrahao

I think it would be a good idea to talk to your Meraki sales representative if you have any questions regarding the design.
Although you have explained some details, I believe that your sales representative will help you determine the best scenario for you by gathering all the necessary information.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

zoee

Sales do not know anything about deep dive technical aspects, or sort of speak, how the technology really works, they sell whatever the client wants, every hour of the day.

PhilipDAth

Why bother using two MX's? Why not just use the routed MX as your hub?

>The OAC has a public ip on the physical port

If you use a OAC, it would normally have a private IP on its physical port, and that is NATed when it talks to the Internet.

>Is the routed mx in the HUB doing NAT when it receives the encrypted traffic

Yes.

>Or it will just simply forward the encrypted traffic

The encrypted traffic will be forwarded to the OAC.

>Is the routed mx doing NAT when it receives encrypted AutoVPN traffic from the OAC before sending it to the spokes?

Yes.

>Or it will just simply forward the the encrypted traffic to the spokes without doing NAT in my case?

It can't do this. It must replace the private IP address that is being used on the OAC with a public IP address so that it is globally routable.

zoee

Thanks for the correct answer! It's so easy to just go to Security &SD-WAN – VPN Status and read the following: as we can see the OAC has a public ip assigned of 11.11.11.11 on it's wan 1 interface which is NATED, both ways ofc.

VPN Registry: Connected. This WAN appliance is able to connect to multiple VPN registries using UDP port 9350 & 9358.
NAT type: Friendly. ThisWAN applianceis behind a VPN-friendly NAT, locally using 11.11.11.11:43059, which is NAT-ed to 22.22.22.22:43059
Encrypted. Using IPsec and AES encryption.

Meraki

Community

Meraki NAT and AUTOVPN

Meraki NAT and AUTOVPN