NAT at Datacenter to Spoke Location

SOLVED
DerikA
Getting noticed

NAT at Datacenter to Spoke Location

Hopefully I can describe this right. First current network set up:

 

Corp/datacenter:

 

The edge is a Cisco router connected to our "core" L3 switch. Our MX100 is set as a one-armed concentrator/hub that is also connected to the "core" switch. The "core" layer 3 switch is handling the internal routing for the local Corp network and the MX100 providing VPN connection to all the spoke MXs.

 

The external interface for the Cisco router has several external static IPs terminating to it and they NAT to internal devices in the datacenter/corporate office and to some devices in the spoke locations.

 

Problem:

 

NAT addresses going to spoke locations drop all traffic at the MX and cannot reach the spoke location. Any NAT address going to a subnet at the Corp location work.

 

I have added the external IP range and the external interface IP of the Cisco router to the local network on the MX concentrator under Site To Site VPN - VPN Setting but traffic still is dropped.

 

Is it possible to route NAT traffic for over the MX VPN in this configuration and if so how would I do so?

 

I hope that all makes. Please let me know if you want to know any more details and thanks in advance for any assistance.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

If you NAT traffic in from the DC to a spoke, then the spoke MUST send the return traffic back via the same path to the DC.  This is only going to work for you if the inbound NAT is only used by a specific source IP on the Internet, and you add that route into AutoVPN at the DC to force the spoke to send the return traffic back.

 

Or you can use the full tunnel.

 

Or you find a way that does not involve NATed traffic to the spoke.  Send all the traffic to the DC, and let the spoke interact with the servers there.

View solution in original post

3 REPLIES 3
PhilipDAth
Kind of a big deal

>NAT addresses going to spoke locations drop all traffic at the MX and cannot reach the spoke location

 

You need symmetric routing.  Are the spokes running a full tunnel?

@PhilipDAth sorry bumped the solved by accident, also I appreciate you always answering my questions as I’m still learning.

 

I think I understand what you’re saying about symmetric routing, I’ll do some more reading on this now that I have a place to look.

 

Most of the spokes are split tunnels primarily on non-MPLS circuits. Also the Corp/datacenter Cisco router is load balancing over 2 internet sources and the majority of the spoke locations are load balanced using Meraki MX load balancing.



PhilipDAth
Kind of a big deal

If you NAT traffic in from the DC to a spoke, then the spoke MUST send the return traffic back via the same path to the DC.  This is only going to work for you if the inbound NAT is only used by a specific source IP on the Internet, and you add that route into AutoVPN at the DC to force the spoke to send the return traffic back.

 

Or you can use the full tunnel.

 

Or you find a way that does not involve NATed traffic to the spoke.  Send all the traffic to the DC, and let the spoke interact with the servers there.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels