Meraki

Community

Nat over VPN Tunnel to Non Meraki Firewall

NorthCentralTel
New here
‎Oct 12 2020 11:01 AM
‎Oct 12 2020 11:01 AM

Nat over VPN Tunnel to Non Meraki Firewall

We are looking at moving to a Meraki MX-250 Security Device.

 

I have a VPN tunnel with another Company. I believe they have a Juniper VPN Device,

we  have a server they connect to over a the VPN tunnel today.

The Servers Private IP is 172.18.0.99. they require us to Nat the server to a public IP say 1.1.1.10, because they have other client swith the 172.18.0..0/24 network.

 

We do this with a CIsco ASA today, Can this be done with Meraki?

0 Kudos
7 Replies 7
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 12 2020 12:05 PM
‎Oct 12 2020 12:05 PM

Hi @NorthCentralTel, hopefully I’ve read and understood your question correctly. it’s possible but only on a Meraki to Meraki VPN

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
JasonCampbell
Getting noticed
‎Oct 12 2020 1:16 PM
‎Oct 12 2020 1:16 PM

I've actually tested this and it does actually perform NAT translation over ALL Meraki and Non-Meraki VPNs. The only problem is you cannot NAT per VPN; it's all or none. In our case, we needed 1 3rd party VPN NAT'ed, but not the other, so it did not work out in our case.

0 Kudos
In response to JasonCampbell
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2020 1:18 PM
‎Oct 12 2020 1:18 PM

You can perform subnet translation - however this person is asking about NATing their subnet to a specific public IP address to go over the VPN.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2020 12:29 PM
‎Oct 12 2020 12:29 PM

>We do this with a CIsco ASA today, Can this be done with Meraki?

 

No.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 12 2020 1:23 PM
‎Oct 12 2020 1:23 PM

My stance: The more complex a VPN setup is, the more likely is that the ASA should be kept as a VPN gateway for quite some time.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 12 2020 1:27 PM
‎Oct 12 2020 1:27 PM

Hi @KarstenI , yep, agree with that statement. Most recent firewall project we had to place a couple of ASAs back into the design for that very reason. Customers VPN requirements were varied and complex.  

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 14 2020 10:17 AM
‎Oct 14 2020 10:17 AM

I like how the ASA decouples NAT from everything else.

It does make it alot more complex to configure if you have an involved config but you can get by most use cases.

 

Cisco remains an aeroplane cockpit with loads of buttons and possibilities while Meraki is more like a remote controlled car with a stick and a few buttons.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.