Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple subnets through single port

Solved
TerryMundy
Conversationalist
‎Dec 8 2017 8:46 AM
‎Dec 8 2017 8:46 AM

Multiple subnets through single port

We're testing a Meraki MX84 before we purchase.  3 days were spent setting up VLANS using configuration from the old Watchguard.

 

Finally, ready for cutover and everything worked EXCEPT-our internal web servers had no return path.  The internal web server has 2 NICs.  One goes to the Internet and has an IP address of 10.10.x.x and the other NIC's IP address is 20.10.10.x.  The 20.10.x.x is NAT'd to our internal network.  This allows the web team to perform updates without going out to the Internet then establish a tunnel back in.

 

The MX84 has 2 Internet gateways and 2 BOVPNs.  The 5th port is connected to a core switch.

 

We were able to verify traffic passed internally from the core switch to the MX84 the on to the internal web server.  However, traffic could not return through the same route.  It defaulted to the 10.10.x.x network instead of 20.10.x.x.

 

The Meraki engineer claimed that the MX84 wasn't capable of handling the problem as this time and it's a future feature.

 

Can anyone help?

0 Kudos
Subscribe
1 Accepted Solution
MRCUR
Kind of a big deal
‎Dec 8 2017 11:33 AM
‎Dec 8 2017 11:33 AM

I'm pretty sure the MX can only NAT from the outside (WAN) interface to an inside (LAN) interface, so I wouldn't expect the setup you're trying to do to work with an MX. It's not totally clear to me why you have this setup, so perhaps there's a workaround that's not clear to me. 

MRCUR | CMNO #12

View solution in original post

Subscribe
4 Replies 4
TerryMundy
Conversationalist
‎Dec 8 2017 9:01 AM
‎Dec 8 2017 9:01 AM

Below is the technician's notes:

 

In short the MX can not do internal 1:1 Natting

When traffic leaves the interface from the 172 network it is sent to the 20 network in the full 172 network space ip.

The Watchguard when traffic traverses to the other network interface allows it to appear as if it's coming from the 20 network IP of the watchguard (Similar to a router).

0 Kudos
Subscribe
In response to TerryMundy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 8 2017 12:12 PM
‎Dec 8 2017 12:12 PM

The Meraki technician is correct.  You can only NAT from a WAN interface to a LAN interface.  You can not NAT from a LAN interface to a LAN interface.

 

Two fixes:

  • Configure a local hosts entry on the developer machines for the DNS name pointing to the internal IP.
  • Configure an internal DNS zone matching the external zone, but change the server entry to point to the internal IP address.
Subscribe
In response to PhilipDAth
TerryMundy
Conversationalist
‎Dec 11 2017 8:36 AM
‎Dec 11 2017 8:36 AM

Thanks to all that took time to reply.

0 Kudos
Subscribe
MRCUR
Kind of a big deal
‎Dec 8 2017 11:33 AM
‎Dec 8 2017 11:33 AM

I'm pretty sure the MX can only NAT from the outside (WAN) interface to an inside (LAN) interface, so I wouldn't expect the setup you're trying to do to work with an MX. It's not totally clear to me why you have this setup, so perhaps there's a workaround that's not clear to me. 

MRCUR | CMNO #12
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.