Meraki

Community

Meraki feature VPN Subnet translation behaviour

Chema-Spain
Getting noticed
‎Nov 11 2024 4:24 AM
‎Nov 11 2024 4:24 AM

Meraki feature VPN Subnet translation behaviour

Hi,

 

I have a customer with a particular requirement for AutoVPN traffic. Their current network is comprised of remote sites sharing lan addressing so in their current non-sdwan solution the branch routers are running PAT to ensure each site is presented in the network with an unique /32 IP. They have Meraki switches and routers and they are planning to add Meraki MXs to run an SDWAN network.  

 

I was happy when discovered meraki allows a hide feature (only Meraki staff can activate) to apply 1:1 or 1:n VPN subnet translation. In my case, 1:n would fit perfectly.

 

However, I just have discovered they have an internal server in each site that has to be reachable from outside (coming from their private network, not from the internet). It made me think in having both a 1:1 and 1:n VPN subnet translation in place on each remote site.

 

The server hosting this application is sharing local lan subnet with all other devices and it is not a dedicated server for this particular application.

 

The document does not reflect whether it is possible to run both 1:1 and 1:n at the same time. In case it were possible, it is not clear the inside address could be present in the 1:1 transalation once it is part of the 1:n translated subnet.

 

 

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

 

If both premises were successfully accepted by remote MX, I guess it could work:

 

Outbound sessions  from the internal server (and their responses) could use the 1:1 translation rule.

Inbound sessions against the 1:1 "public" IP would be set to the internal server. No other inbound sessions are required.

 

Outbound sessions from all other servers would be srcnatted into the PAT site IP address.

 

 

I'm going to ask Meraki for activating this feature in our lab. Prior to this, I was wondering whether you have a similar scenario in place. 

 

 

Thanks!

0 Kudos
4 Replies 4
GreenMan
Meraki Employee
Meraki Employee
‎Nov 11 2024 7:12 AM
‎Nov 11 2024 7:12 AM

Is / are the source(s) for the inbound sessions known or could they be from anywhere?

 

0 Kudos
In response to GreenMan
Chema-Spain
Getting noticed
‎Nov 12 2024 7:20 AM
‎Nov 12 2024 7:20 AM

Hi, 

 

Thanks for your response.

 

Source could be any private IP from a class B 10.X/16 addressing.

 

 

0 Kudos
Chema-Spain
Getting noticed
‎Nov 18 2024 7:31 AM
‎Nov 18 2024 7:31 AM

Still not sure regarding this feature can make it work as needed. And there is another ingredient that would add complexity for sure: having affected sites associated to templates. It could be cumbersome. The fact is templates are the base and strength for Meraki deployments.

 

Asking Meraki TAC to enable the feature in a template, once done from their side, the only option I see as available is natting the internal subnet using same mask. No way to configure many to one NAT. I have asked whether it needs something else from their side to make it visible.

 

I still do not have clear whether that translation for AutoVPN traffic could be 1:1 as it indeed can be configured for internet traffic in port fwd designs.

 

I just have seen there is a kind of local override to configure at network level when site is associated to template. However, I'm not sure it would be enough.

Any ideas? Thanks!

0 Kudos
Chema-Spain
Getting noticed
a month ago
a month ago

Hi,

 

Finally I got the feature visible after Meraki TAC configured it behind the scenes. Note first time they only configured support for subnet-to-subnet NAT (I checked it worked fine, only natted subnet was present in hub table), when trying to configure Many-to-1 nat, it failed. After contacting again with the TAC engineer both options were available. This is what I saw:

 
 
I confirm Many-to-1 nat works fine for Spoke2 site (the one not associated to any template).
 
Regarding Spoke1 site, it works too... however, what dashboard reflects is quite strange:
 
  • First I deassociated spoke1 from its template (selecting config retention). 
  • Then I configured Many-to-1 nat for the subnet. It worked fine, hub site learnt the /32 natted and did not see the private /24 prefix. Fine!
  • I reassociated the network spoke1 to the template. As the subnet is configured as unique in the template, spoke1 changed its subnet to a random one.
  • I configured the proper private /24 addressing and... hub learnt the /32 natted IP. However, nor the template nor the spoke1 show this nat anymore. 
 
As a summary:
 
  • For sites not associated to any template, both subnet to subnet (same mask) and Many-to-1 NAT work fine.
  • For sites associated to template, It also works. However, It is difficult to manage as at the end of the day you do not see what is configured. Nat is not shown anywhere in the dashboard, even when you see the natted prefix in AutoVPN neighbor table. I guess in case you need a change in the natted IP/prefix, you would need to deassociate the network from its template, apply the changes and make the association again.
 
IMO NAT over AutoVPN is not as flexible as what a router or dedicated fw can support. We had customers where you need a mix of dynamic and static entries. This kind of corner cases I guess they won't work here.
 
 
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.