Meraki feature VPN Subnet translation behaviour

Chema-Spain
Getting noticed

Meraki feature VPN Subnet translation behaviour

Hi,

 

I have a customer with a particular requirement for AutoVPN traffic. Their current network is comprised of remote sites sharing lan addressing so in their current non-sdwan solution the branch routers are running PAT to ensure each site is presented in the network with an unique /32 IP. They have Meraki switches and routers and they are planning to add Meraki MXs to run an SDWAN network.  

 

I was happy when discovered meraki allows a hide feature (only Meraki staff can activate) to apply 1:1 or 1:n VPN subnet translation. In my case, 1:n would fit perfectly.

 

However, I just have discovered they have an internal server in each site that has to be reachable from outside (coming from their private network, not from the internet). It made me think in having both a 1:1 and 1:n VPN subnet translation in place on each remote site.

 

The server hosting this application is sharing local lan subnet with all other devices and it is not a dedicated server for this particular application.

 

The document does not reflect whether it is possible to run both 1:1 and 1:n at the same time. In case it were possible, it is not clear the inside address could be present in the 1:1 transalation once it is part of the 1:n translated subnet.

 

 

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

 

If both premises were successfully accepted by remote MX, I guess it could work:

 

Outbound sessions  from the internal server (and their responses) could use the 1:1 translation rule.

Inbound sessions against the 1:1 "public" IP would be set to the internal server. No other inbound sessions are required.

 

Outbound sessions from all other servers would be srcnatted into the PAT site IP address.

 

 

I'm going to ask Meraki for activating this feature in our lab. Prior to this, I was wondering whether you have a similar scenario in place. 

 

 

Thanks!

3 Replies 3
GreenMan
Meraki Employee
Meraki Employee

Is / are the source(s) for the inbound sessions known or could they be from anywhere?

 

Chema-Spain
Getting noticed

Hi, 

 

Thanks for your response.

 

Source could be any private IP from a class B 10.X/16 addressing.

 

 

Chema-Spain
Getting noticed

Still not sure regarding this feature can make it work as needed. And there is another ingredient that would add complexity for sure: having affected sites associated to templates. It could be cumbersome. The fact is templates are the base and strength for Meraki deployments.

 

Asking Meraki TAC to enable the feature in a template, once done from their side, the only option I see as available is natting the internal subnet using same mask. No way to configure many to one NAT. I have asked whether it needs something else from their side to make it visible.

 

I still do not have clear whether that translation for AutoVPN traffic could be 1:1 as it indeed can be configured for internet traffic in port fwd designs.

 

I just have seen there is a kind of local override to configure at network level when site is associated to template. However, I'm not sure it would be enough.

Any ideas? Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels