Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT hairpin question

GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 30 2019 12:53 AM
‎Jul 30 2019 12:53 AM

NAT hairpin question

We have the following situation:

On the main site of a customer we have an MX84 with an MPLS connection on WAN1 and a public internetconnection on WAN2.

 

There is a local webserver in the private LAN that has port TCP/80,443 forwarded from WAN2 (public) towards it.

Local LAN users can get the private IP address through local DNS and that works just dandy.

 

However professional visitors who only get Guest WiFi access with a public DNS server also need to reach that webserver.

Their traffic is of course egressed on WAN2 (public).

So for them to reach the local webserver they get the public WAN2 address because I do not wish to give them access to the local DNS server so we expose internal addresses to them.

 

Does the MX support NAT hairpin?  And how does it implement it if it does?

If it is not supported I could of course try to  route traffic towards that destination out WAN 1 (MPLS) and let them circle the internet back in WAN2.  But it would be nice if someone could confirm support for the hairpin.

At this time it's not working, but I want to do some packet captures locally before calling support 🙂

0 Kudos
Subscribe
4 Replies 4
BrechtSchamp
Kind of a big deal
‎Jul 30 2019 1:04 AM
‎Jul 30 2019 1:04 AM

Judging by this message it should work:

https://community.meraki.com/t5/Security-SD-WAN/HairPin-Nat-Loop-back-NAT/m-p/24563/highlight/true#M...

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 30 2019 4:33 PM
‎Jul 30 2019 4:33 PM

My memory is pretty grey now, but I'm about 75% sure that works fine.

Subscribe
In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 31 2019 6:31 AM
‎Jul 31 2019 6:31 AM

I'll have to make a test setup if the time and gear permits.

In this situation the public IP was owned by a oneACCESS router in front of the MX pair instead of having the pub IP on the MX itself.

The hairpin did not work on the oneACCESS router.  I captured the traffic and saw the outbound TCP connection but no packets back downstream.  The TCP handshake was succesful but followed by a reset short after.  So I can only assume the oneACCESS responded itself to the TCP syn.

There is a DMZ host feature implemented on the oneACCESS but the ISP manages that router and they couldn't fix it.

 

So I had to implement my workaround by sending traffic destined to that public IP out the other WAN interface so the internet just circled it back downstream.

Subscribe
JasonCampbell
Getting noticed
‎Jul 31 2019 6:20 PM
‎Jul 31 2019 6:20 PM

Whole the solution above may work, it needs to be noted that Meraki MX does not currently support true Source NAT. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.