NAT between a WAN port and a LAN port.

OBARRERA
Here to help

NAT between a WAN port and a LAN port.

Hi everyone,


I need your help with a question

We have a network like the one in the attached image. Above our meraki they put a fortigate that gives DHCP and does group policies, web filtering, etc.

That fortigate also does the site-to-site VPN with other branches, but they don't want to free up other ports or create vlans to communicate between the different segments we have, so that's what Meraki will do.


My question is, if we connect that fortigate to the Meraki WAN port, can that port do the NAT to the Meraki LAN network?

That is, Meraki from its WAN port does the NAT between the 2 networks.

Is this possible to do?

 

I realy hope you can help me 🙂

OBARRERA_0-1625004772979.png

 

1 Reply 1
Bruce
Kind of a big deal

@OBARRERA you can do NAT on the Meraki between WAN and LAN with no problem, that's one of the use cases for Meraki NAT. The 'public' (i.e. outside) IP address can even be the same as the inside IP address if you just want to get the traffic across the MX without actually changing the IP address. The only check Meraki does is that the 'private' (i.e. inside) IP address actually exists as a VLAN on the MX or is reachable via a route from the MX; it doesn't do any reachability checks for the 'public' IP address, you just need to make sure that the upstream device is routing that IP address to the MX, and the MX just responds for the IP address.

 

Downside of the Meraki NAT is that you can only configure NATs for a single host at a time, so if you want to do a NAT for an entire /24 subnet then you need to create 255 individual NATs - no fun.

 

I'm not entirely sure what your desired outcome is, but if you are stuck with the configuration you've shown you may be able to use the No-NAT feature. This allows you to turn of NAT for each WAN port, and if desired on a per VLAN basis too so that traffic traverses the MX without NAT. You need to get support to switch No-NAT on for you if you think this will work, and at the same time they'll also enable the inbound firewall so that you can configure the rules on the MX to allow inbound traffic too. Be aware that by default when they enable the inbound firewall it is set to allow any to any by default (obviously you can add your own rules to change this), although since you're sitting behind the FortiGate this may not be an issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels