- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Meraki mx PAT question
Hi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I'm not mistaken you'd been looking for something like this (site-to-site vpn translation)
And yes, in a split tunnel scenario internet destined traffic goes out the Internet link while site to site vpn traffic traverses the tunnel
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Tunneling
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Brash
Below is the document you sent us!
VPN Subnet Translation
This feature is not enabled by default, please contact Meraki support to enable it.
Moreover, this feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers.
Isn't it possible to PAT between internal private IP bands on Auto VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you enable NAT on the VPN, all traffic from the subnet you define will be forwarded to the destination network regardless of port, so if you want to forward this to a specific host you do not have this possibility.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it correct to say that there is no such feature as split route?
Also, it seems that it is possible to NAT to a specific IP band when exporting internal IP bands to the tunnel by using the VPN Subnet Translation feature from the following page.
(only auto vpn)
https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A trick you might be able to use is if you DONT include the subnet in "VPN mode" (so you leave it disabled"
It will nat the local subnet into an IP address in the range 6.0.0.0/8 (not sure on exact detals) to go over AutoVPN. This is kinda mentioned in some bits of documentation but not well documented.
You'll need to do a packet capture in the AutoVPN interface to see which exact IP address is being used. As long as you add a return route it should work.
But I would rather use subnet translation before this technique.
And I would much rather fix my IP address than use either of these hacks. That's because I like reliable configurations that "just work".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an interesting tidbit I never knew...
So the MX uses 6.0.0.0/8 internally within the tunnel(s) in order to route traffic across S2S VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct. This is mostly invisible.
I run into occasionally when using RADIUS, and you see RADIUS client requests coming from this range when they hit the RADIUS server (under very specific use cases).