Hi,
I have a customer with a particular requirement for AutoVPN traffic. Their current network is comprised of remote sites sharing lan addressing so in their current non-sdwan solution the branch routers are running PAT to ensure each site is presented in the network with an unique /32 IP. They have Meraki switches and routers and they are planning to add Meraki MXs to run an SDWAN network.
I was happy when discovered meraki allows a hide feature (only Meraki staff can activate) to apply 1:1 or 1:n VPN subnet translation. In my case, 1:n would fit perfectly.
However, I just have discovered they have an internal server in each site that has to be reachable from outside (coming from their private network, not from the internet). It made me think in having both a 1:1 and 1:n VPN subnet translation in place on each remote site.
The server hosting this application is sharing local lan subnet with all other devices and it is not a dedicated server for this particular application.
The document does not reflect whether it is possible to run both 1:1 and 1:n at the same time. In case it were possible, it is not clear the inside address could be present in the 1:1 transalation once it is part of the 1:n translated subnet.
Using Site-to-site VPN Translation - Cisco Meraki Documentation
If both premises were successfully accepted by remote MX, I guess it could work:
Outbound sessions from the internal server (and their responses) could use the 1:1 translation rule.
Inbound sessions against the 1:1 "public" IP would be set to the internal server. No other inbound sessions are required.
Outbound sessions from all other servers would be srcnatted into the PAT site IP address.
I'm going to ask Meraki for activating this feature in our lab. Prior to this, I was wondering whether you have a similar scenario in place.
Thanks!
