Meraki

Community

NAT between VLANs yet?

SJones
Here to help
‎Nov 25 2020 7:33 AM
‎Nov 25 2020 7:33 AM

NAT between VLANs yet?

I know this wasn't possible in the past, and I found a few couple year old topics on here.... but has this changed yet?  I have a need to NAT between VLANs.  Do I still need to have another device for that or use WAN2?  It's a bit of an odd use case - I only need a handful of devices to communicate to the other vlan and this would be the easiest way.

0 Kudos
6 Replies 6
Adam2104
Building a reputation
‎Nov 25 2020 12:04 PM
‎Nov 25 2020 12:04 PM

Not that I know of, NAT is only for (V)LAN --> WAN flows. I'm curious though, what is the design situation requiring internal NAT?

0 Kudos
In response to Adam2104
SJones
Here to help
‎Nov 25 2020 3:06 PM
‎Nov 25 2020 3:06 PM

@Adam2104 wrote:

Not that I know of, NAT is only for (V)LAN --> WAN flows. I'm curious though, what is the design situation requiring internal NAT?

 

There's a router in VLAN B that I a) need to get traffic to/from and b) have no control over.  The easiest path forward is to recreate it like the ASA that's being replaced and NAT the 4 or 5 VLAN A machines to a VLAN B address when traffic is destined for that router.  Or all the time, really, it doesn't matter that much.

This is one of the reason I really have a hard time proposing Meraki solutions for any but the most basic scenarios.  "Yes, I'm sorry, the $10,000 device we proposed won't do what the $3,000 device we're replacing did."

 

Yes, I know, we should let routers route and NAT.  But still, between little quirks like this and the non-meraki vpn peer issues... I just wish it was a little better.

0 Kudos
In response to SJones
DHAnderson
Head in the Cloud
‎Mar 31 2021 5:00 PM
‎Mar 31 2021 5:00 PM

Have you tried the hairpin as referenced in @PhilipDAth comment?

 

If nothing else, the proof of concept may give you more insight into how NAT can work in a MX.

 

- Dave

Dave Anderson
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 25 2020 12:39 PM
‎Nov 25 2020 12:39 PM

Secret bit of knowledge.

 

The MX 1:1 NAT does not consider interfaces, is not bound to an interface, and simply acts on all traffic flows regardless of which interface the traffic comes in on.

0 Kudos
In response to PhilipDAth
Greenberet
Head in the Cloud
‎Nov 25 2020 2:49 PM
‎Nov 25 2020 2:49 PM

@PhilipDAthare you sure about that? My MX isn't even responding to an arp request, when the "public ip" is in the same vlan as my computer.

I've also tried to use an ip from vlan2 to NAT it to vlan 3. My PC is in VLAN 1 here and using the MX as default gw. Still no luck =(

 

0 Kudos
In response to Greenberet
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 25 2020 3:00 PM
‎Nov 25 2020 3:00 PM

It used to work in the past ... I have not tried recently.

 

@GiacomoS  (who works for Meraki) has also mentioned it before.

https://community.meraki.com/t5/Security-SD-WAN/HairPin-Nat-Loop-back-NAT/m-p/24563/highlight/true#M... 

 

Other people seem to have done it as well.

https://community.meraki.com/t5/Security-SD-WAN/HairPin-Nat-Loop-back-NAT/m-p/24272/highlight/true#M... 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.