NAT Type: Unfriendly

ehsan230564
Here to help

NAT Type: Unfriendly

Dear Sir,

 

My scenario is that I have two 4g internet connected to one device MX64 to wan1 and wan4, and configured as site to site HUB vpn, with Automatic NAT traversal.

 

And another MX64 device with another 4g internet connected to wan1. And configured as site to site spoke VPN to the first HUB as specified above.

 

I got the VPN established but I got message as NAT Type : Unfriendly.

And I am not able to ping connected to the LAN port of MX64 configured as HUB VPN.

 

Since I have all the WAN as AUTO DHCP. How should I configure :-

 

Manually create a port mapping on the upstream firewall that will forward all traffic received on a specific public IP and port to the internal address of the appliance on the selected port. In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured.

 

Thanks and regards.

 

 

 

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Your provider is probably using CG-NAT (Carrier Grade NAT) and or running via an unfriendly firewall.

 

So if that provider has other APNs you can use.  In particular one that assigns public IP addresses or one that doesn't run though a firewall.

If they have other APNs you'll need to program those into the USB sticks with a notebook.

AlexC
Meraki Employee
Meraki Employee

I agree with @PhilipDAth that this is likely due to carrier NAT-ing your traffic (which is very common with cellular connections), and or not allowing return traffic for the VPN traffic flow.

 

A reboot (or disabling and re-enabling VPN) can sometimes resolve such issue because with automatic NAT traversal, your MXen's will establish a new UDP flow. This article has some nice illustration of the entire VPN establishment process: https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

 

If you plan on staying with cellular, it might be worthwhile to check with your carrier about getting static IP service rather than DHCP.

 

Cheers,

 

-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels