Meraki

Community

Meraki mx PAT question

KSM
Here to help
‎Nov 16 2023 11:10 PM
‎Nov 16 2023 11:10 PM

Meraki mx PAT question

Hi

 

I have a question while using Meraki MX.
 
Private: 192.168.100.0/24
Tunnel: 10.130.1.1
 
1. Is it possible to PAT from private to tunnel band?
(192.168.100.0/24 -> 10.130.1.1)
 
2. If PAT is not possible, is there any way to configure the above on the MX?
 
3. If PAT is possible, is it possible to have the private IP go directly to the internet when using the internet, and go to the tunnel band when tunneling?

 

 

KSM_0-1700204857538.png

 

0 Kudos
8 Replies 8
Brash
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 12:16 AM
‎Nov 17 2023 12:16 AM

If I'm not mistaken you'd been looking for something like this (site-to-site vpn translation)

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation#1-to-many_(1...

 

And yes, in a split tunnel scenario internet destined traffic goes out the Internet link while site to site vpn traffic traverses the tunnel

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Tunneling

In response to Brash
KSM
Here to help
‎Nov 17 2023 1:07 AM
‎Nov 17 2023 1:07 AM

Hi Brash

 

Below is the document you sent us!

 

VPN Subnet Translation
This feature is not enabled by default, please contact Meraki support to enable it.

Moreover, this feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers.

 

Isn't it possible to PAT between internal private IP bands on Auto VPN?

0 Kudos
In response to KSM
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 3:14 AM
‎Nov 17 2023 3:14 AM

When you enable NAT on the VPN, all traffic from the subnet you define will be forwarded to the destination network regardless of port, so if you want to forward this to a specific host you do not have this possibility.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
KSM
Here to help
‎Nov 17 2023 5:29 AM
‎Nov 17 2023 5:29 AM

Is it correct to say that there is no such feature as split route?

 

Also, it seems that it is possible to NAT to a specific IP band when exporting internal IP bands to the tunnel by using the VPN Subnet Translation feature from the following page.
(only auto vpn)


https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

0 Kudos
In response to KSM
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 5:43 AM
‎Nov 17 2023 5:43 AM

I don't know exactly where you saw this, but Site-to-site VPN Translation is super simple to understand.
 
Basically it will translate the IP address of a given host in a Subnet to another IP.
 
Example:
 
Supposing you have the 192.168.128.0/24 subnet and need to translate it to the 10.15.30.0/24 subnet, when your host with the IP 192.168.128.44 communicates with your server within the VPN, the host's IP will be translated to the IP 10.15.30.44.
 
Basically that's it, there is no other advanced feature.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 4:40 PM
‎Nov 17 2023 4:40 PM

A trick you might be able to use is if you DONT include the subnet in "VPN mode" (so you leave it disabled"

PhilipDAth_0-1700267668786.png

It will nat the local subnet into an IP address in the range 6.0.0.0/8 (not sure on exact detals) to go over AutoVPN.  This is kinda mentioned in some bits of documentation but not well documented.

https://documentation.meraki.com/MI/BETA%3A_Meraki_and_ThousandEyes_Integration_Troubleshooting#Issu... 

 

You'll need to do a packet capture in the AutoVPN interface to see which exact IP address is being used.  As long as you add a return route it should work.

 

 

But I would rather use subnet translation before this technique.

 

And I would much rather fix my IP address than use either of these hacks.  That's because I like reliable configurations that "just work".

In response to PhilipDAth
Brash
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 4:52 PM
‎Nov 17 2023 4:52 PM

This is an interesting tidbit I never knew...

So the MX uses 6.0.0.0/8 internally within the tunnel(s) in order to route traffic across S2S VPN?

0 Kudos
In response to Brash
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 5:00 PM
‎Nov 17 2023 5:00 PM

Correct.  This is mostly invisible.

 

I run into occasionally when using RADIUS, and you see RADIUS client requests coming from this range when they hit the RADIUS server (under very specific use cases).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.