NAT between VLANs yet?

SJones
Here to help

NAT between VLANs yet?

I know this wasn't possible in the past, and I found a few couple year old topics on here.... but has this changed yet?  I have a need to NAT between VLANs.  Do I still need to have another device for that or use WAN2?  It's a bit of an odd use case - I only need a handful of devices to communicate to the other vlan and this would be the easiest way.

6 Replies 6
Adam2104
Building a reputation

Not that I know of, NAT is only for (V)LAN --> WAN flows. I'm curious though, what is the design situation requiring internal NAT?


@Adam2104 wrote:

Not that I know of, NAT is only for (V)LAN --> WAN flows. I'm curious though, what is the design situation requiring internal NAT?


 

There's a router in VLAN B that I a) need to get traffic to/from and b) have no control over.  The easiest path forward is to recreate it like the ASA that's being replaced and NAT the 4 or 5 VLAN A machines to a VLAN B address when traffic is destined for that router.  Or all the time, really, it doesn't matter that much.

This is one of the reason I really have a hard time proposing Meraki solutions for any but the most basic scenarios.  "Yes, I'm sorry, the $10,000 device we proposed won't do what the $3,000 device we're replacing did."

 

Yes, I know, we should let routers route and NAT.  But still, between little quirks like this and the non-meraki vpn peer issues... I just wish it was a little better.

DHAnderson
Head in the Cloud

Have you tried the hairpin as referenced in @PhilipDAth comment?

 

If nothing else, the proof of concept may give you more insight into how NAT can work in a MX.

 

- Dave

Dave Anderson
PhilipDAth
Kind of a big deal
Kind of a big deal

Secret bit of knowledge.

 

The MX 1:1 NAT does not consider interfaces, is not bound to an interface, and simply acts on all traffic flows regardless of which interface the traffic comes in on.

@PhilipDAthare you sure about that? My MX isn't even responding to an arp request, when the "public ip" is in the same vlan as my computer.

I've also tried to use an ip from vlan2 to NAT it to vlan 3. My PC is in VLAN 1 here and using the MX as default gw. Still no luck =(

 

It used to work in the past ... I have not tried recently.

 

@GiacomoS  (who works for Meraki) has also mentioned it before.

https://community.meraki.com/t5/Security-SD-WAN/HairPin-Nat-Loop-back-NAT/m-p/24563/highlight/true#M... 

 

Other people seem to have done it as well.

https://community.meraki.com/t5/Security-SD-WAN/HairPin-Nat-Loop-back-NAT/m-p/24272/highlight/true#M... 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels