NAT exemption / No Nat functionality on MX84

Solved
Silas1066
Getting noticed

NAT exemption / No Nat functionality on MX84

I have a MX84 that will have a link to a private MPLS cloud where some of our servers reside.

 

It also has a traditional connection to the Internet

 

I had a couple questions about this setup

 

1. I don't want to NAT traffic from my LAN going to that MPLS cloud if I can help it. I want to preserve the current private addresses. How can I do this? 

 

2. I don't seem to be able to configure interfaces on the MX84 from the cloud --I have to do it from the local admin page (out-of-band). Is this correct? In other words, I can't select an interface and give it an IP address, start building rules around it, etc. from Dashboard 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

1. Typically in this case you create a VLAN, and plug the MPLS into that VLAN.  NAT is not done between VLANS.  This guide talks about configuring MPLS failover to AutoVPN.  If you ignore the failover and AutoVPN bits, the rest applies to your case.

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

2. The MX has to be online before you can configure it.  So frequently you have to use the local status page to do this.  Once the MX is online you can make some changes to the WAN interfaces through the dashboard - but be careful not to cut yourself off.

View solution in original post

11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal

1. Typically in this case you create a VLAN, and plug the MPLS into that VLAN.  NAT is not done between VLANS.  This guide talks about configuring MPLS failover to AutoVPN.  If you ignore the failover and AutoVPN bits, the rest applies to your case.

https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN

 

2. The MX has to be online before you can configure it.  So frequently you have to use the local status page to do this.  Once the MX is online you can make some changes to the WAN interfaces through the dashboard - but be careful not to cut yourself off.

Silas1066
Getting noticed

Under my routing tab I have 

 

VLANS: disabled: Use a single LAN

 

what happens if I switch that to "enabled" ? Is that interface going to turn into a dot1q trunk?

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, turn vlans on.

 

All interfaces on the MX will be trunk interfaces.  You'll probably want to change some of them to access interfaces in a specific VLAN.

Silas1066
Getting noticed

Is this going to affect my uplink interface and disconnect me if I turn this feature on?

 

PhilipDAth
Kind of a big deal
Kind of a big deal

It has no impact on the uplink interface.

Silas1066
Getting noticed

OK so it looks like I am on the right track here now

 

I switched the mode, added a new VLAN (vlan 5 192.168.5.0 /29) to serve as a transit between my MPLS router and the MX. For the "MX IP" field when adding the new local VLAN I entered 192.168.5.2

 

I then put LAN interface 4 into that VLAN as an access port on the MX, and connected that to the router

 

Does this sound correct? I shouldn't have to NAT in this case right?

benny
Getting noticed

Hi Silas1066, 

 

The other option you have is to request Meraki support upgrade that network and device to 15.9 No-NAT beta release. You then have the option to disable NAT on the interface that is facing your MPLS Network. 

 

Regards,

Ben

AZEIDLER
Comes here often

 

We tested this beta NO-NAT functionality .

There is an issue, confirmed by Meraki TAC: ICMP does not work , which mens the servers on MPLS are not able to ping the host on LAN . This was considered unnaceptable and the "TRANSIT VLAN to MPLS  " solution was used.

The only remark with this solution is that the route 0.0.0.0  0.0.0.0 , by default,  points to the Internet Interface, We had to create routes to private IP ranges (10.0.0.0 /8, for example) to make OUTBOUND traffic flow via the Transit VLAN . The LAN subnets also had to be redirected to transit VLAN on MPLS router for INBOUND traffic 

 

JasonForster
New here

Had an interesting workaround to no NAT, that i'm not sure is supported, but seems to work in our lab. 

 

If you create 1:1 NAT rules that have any/any allowed where the destination IP before and after NAT is the same... ie nat destination <LAN subnet> to destination <LAN subnet> IP. And create a 1:1 rule for each IP in your lan subnet, aren't you technically achieving the same goal as if nat were disabled entirely.

 

example Nat public IP 192.168.1.10(being advertised/routed down our mpls) to private IP 192.168.1.10(ip that exists in a LAN vlan that is attached to an interface).

 

Fiddly workaround for large subnets maybe.

Aadil
Comes here often

Hi Everyone

 

Would anyone know when the NO-NAT feature will be officially available.

 

I am currently running 14.40 which is a bit limiting in my opinion.

 

Regards

A

whistleblower
Building a reputation

I think there has been already a link to the meraki documentation site exited, in which it was recommended to use the LAN interfaces (for the time being) for native MPLS! Maybe someone does have this link and can provide it?

I`d like to ask also a question regarding the use of the LAN Interface vs. the WAN NO NAT/NAT Exemption feature in BETA...

Is my understanding correct that - when I use a LAN Interface for routing traffic to a MPLS Router no statistics e.g.

whistleblower_0-1588189526251.png

shows up on the appliance dashboard? If so, is this possible when using the NO NAT on a WAN-Interface?

Probably someone can also point out the differences/advantages when using NO NAT on a WAN-Interface... for example: content filtering, etc. may also work with it?

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels