Nat over VPN Tunnel to Non Meraki Firewall

NorthCentralTel
New here

Nat over VPN Tunnel to Non Meraki Firewall

We are looking at moving to a Meraki MX-250 Security Device.

 

I have a VPN tunnel with another Company. I believe they have a Juniper VPN Device,

we  have a server they connect to over a the VPN tunnel today.

The Servers Private IP is 172.18.0.99. they require us to Nat the server to a public IP say 1.1.1.10, because they have other client swith the 172.18.0..0/24 network.

 

We do this with a CIsco ASA today, Can this be done with Meraki?

7 REPLIES 7
UCcert
Kind of a big deal

Hi @NorthCentralTel, hopefully I’ve read and understood your question correctly. it’s possible but only on a Meraki to Meraki VPN

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

I've actually tested this and it does actually perform NAT translation over ALL Meraki and Non-Meraki VPNs. The only problem is you cannot NAT per VPN; it's all or none. In our case, we needed 1 3rd party VPN NAT'ed, but not the other, so it did not work out in our case.

You can perform subnet translation - however this person is asking about NATing their subnet to a specific public IP address to go over the VPN.

PhilipDAth
Kind of a big deal

>We do this with a CIsco ASA today, Can this be done with Meraki?

 

No.

KarstenI
Kind of a big deal

My stance: The more complex a VPN setup is, the more likely is that the ASA should be kept as a VPN gateway for quite some time.

UCcert
Kind of a big deal

Hi @KarstenI , yep, agree with that statement. Most recent firewall project we had to place a couple of ASAs back into the design for that very reason. Customers VPN requirements were varied and complex.  

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
GIdenJoe
Kind of a big deal

I like how the ASA decouples NAT from everything else.

It does make it alot more complex to configure if you have an involved config but you can get by most use cases.

 

Cisco remains an aeroplane cockpit with loads of buttons and possibilities while Meraki is more like a remote controlled car with a stick and a few buttons.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels