cancel
Showing results for 
Search instead for 
Did you mean: 

NAT exemption / No Nat functionality on MX84

SOLVED
Getting noticed

NAT exemption / No Nat functionality on MX84

I have a MX84 that will have a link to a private MPLS cloud where some of our servers reside.

 

It also has a traditional connection to the Internet

 

I had a couple questions about this setup

 

1. I don't want to NAT traffic from my LAN going to that MPLS cloud if I can help it. I want to preserve the current private addresses. How can I do this? 

 

2. I don't seem to be able to configure interfaces on the MX84 from the cloud --I have to do it from the local admin page (out-of-band). Is this correct? In other words, I can't select an interface and give it an IP address, start building rules around it, etc. from Dashboard 

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: NAT exemption / No Nat functionality on MX84

1. Typically in this case you create a VLAN, and plug the MPLS into that VLAN.  NAT is not done between VLANS.  This guide talks about configuring MPLS failover to AutoVPN.  If you ignore the failover and AutoVPN bits, the rest applies to your case.

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

2. The MX has to be online before you can configure it.  So frequently you have to use the local status page to do this.  Once the MX is online you can make some changes to the WAN interfaces through the dashboard - but be careful not to cut yourself off.

9 REPLIES 9
Kind of a big deal

Re: NAT exemption / No Nat functionality on MX84

1. Typically in this case you create a VLAN, and plug the MPLS into that VLAN.  NAT is not done between VLANS.  This guide talks about configuring MPLS failover to AutoVPN.  If you ignore the failover and AutoVPN bits, the rest applies to your case.

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

2. The MX has to be online before you can configure it.  So frequently you have to use the local status page to do this.  Once the MX is online you can make some changes to the WAN interfaces through the dashboard - but be careful not to cut yourself off.

Getting noticed

Re: NAT exemption / No Nat functionality on MX84

Under my routing tab I have 

 

VLANS: disabled: Use a single LAN

 

what happens if I switch that to "enabled" ? Is that interface going to turn into a dot1q trunk?

 

 

Kind of a big deal

Re: NAT exemption / No Nat functionality on MX84

Yes, turn vlans on.

 

All interfaces on the MX will be trunk interfaces.  You'll probably want to change some of them to access interfaces in a specific VLAN.

Getting noticed

Re: NAT exemption / No Nat functionality on MX84

Is this going to affect my uplink interface and disconnect me if I turn this feature on?

 

Kind of a big deal

Re: NAT exemption / No Nat functionality on MX84

It has no impact on the uplink interface.

Highlighted
Getting noticed

Re: NAT exemption / No Nat functionality on MX84

OK so it looks like I am on the right track here now

 

I switched the mode, added a new VLAN (vlan 5 192.168.5.0 /29) to serve as a transit between my MPLS router and the MX. For the "MX IP" field when adding the new local VLAN I entered 192.168.5.2

 

I then put LAN interface 4 into that VLAN as an access port on the MX, and connected that to the router

 

Does this sound correct? I shouldn't have to NAT in this case right?

Getting noticed

Re: NAT exemption / No Nat functionality on MX84

Hi Silas1066, 

 

The other option you have is to request Meraki support upgrade that network and device to 15.9 No-NAT beta release. You then have the option to disable NAT on the interface that is facing your MPLS Network. 

 

Regards,

Ben

Comes here often

Re: NAT exemption / No Nat functionality on MX84

 

We tested this beta NO-NAT functionality .

There is an issue, confirmed by Meraki TAC: ICMP does not work , which mens the servers on MPLS are not able to ping the host on LAN . This was considered unnaceptable and the "TRANSIT VLAN to MPLS  " solution was used.

The only remark with this solution is that the route 0.0.0.0  0.0.0.0 , by default,  points to the Internet Interface, We had to create routes to private IP ranges (10.0.0.0 /8, for example) to make OUTBOUND traffic flow via the Transit VLAN . The LAN subnets also had to be redirected to transit VLAN on MPLS router for INBOUND traffic 

 

New here

Re: NAT exemption / No Nat functionality on MX84

Had an interesting workaround to no NAT, that i'm not sure is supported, but seems to work in our lab. 

 

If you create 1:1 NAT rules that have any/any allowed where the destination IP before and after NAT is the same... ie nat destination <LAN subnet> to destination <LAN subnet> IP. And create a 1:1 rule for each IP in your lan subnet, aren't you technically achieving the same goal as if nat were disabled entirely.

 

example Nat public IP 192.168.1.10(being advertised/routed down our mpls) to private IP 192.168.1.10(ip that exists in a LAN vlan that is attached to an interface).

 

Fiddly workaround for large subnets maybe.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.