Port forward to remote host via AutoVPN

BUGS_BYTE
Comes here often

Port forward to remote host via AutoVPN

Hello compatriots!

 

I am looking for a solution for public access to internal host sitting behind a carrier grade NAT (CGNAT).

 

I have two Meraki network locations. At the head-end I am port-forwarding a number of services fine. At the remote site i get a private IP handoff, and access the internet from a distant public IP address the carrier manages.

 

between the two location I have a hub/spoke AutoVPN.

 

I am looking for a way to leverage the port-forwarding feature I do have at the head-end, to forward SIP traffic to a call manager at the remote-office.

 

any cleverness available to get this done?

 

currently when attempting the port forward at the head-end MX to the remote site IP, the GUI fails stating a requirement that the destination IP be configured in a local subnet.

7 REPLIES 7
alemabrahao
Kind of a big deal
Kind of a big deal

Is communication via Meraki SD WAN an option for you?

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
BUGS_BYTE
Comes here often

I am not too familiar with the SDWAN feature, however was initially dismissive as it seemed more for the purposes of Quality of a service,  while I was just aiming at the service alone thus far.

 

I do note the following in the reference provided:

 

PbR with Performance Failover for Web traffic

Web traffic is another common type of traffic that a network administrator may wish to optimize or control. This branch will leverage a PbR rule to send web traffic over VPN tunnels formed on the WAN 1 interface, but only if that matches a custom-configured performance class.

 

So far, I was concerned with any connectivity over the service port.

 

As to SDWAN being an option for me, I do not see an obvious barrier in my case, having MX/Z3 at the respective sites.

 

However it is not clear to me exactly how SDWAN fits into the solution. Can you ellaborate?

First question, at the remote site, do you have an MX as well? If you don't have a choice, it would be to set up a site-to-site VPN between the two sites. The issue here is that you won't be able to do port forwarding via VPN/SD-WAN. 

 

Here you can read about SD-WAN: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

For NAT to work, you need the return traffic come back via the device that did the NAT.  In this case, if you make the AutoVPN a full tunnel, then it should work.

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/... 

PhilipDAth
Kind of a big deal
Kind of a big deal

ps, If it was me - I'd get rid of the on-premise call manager and move to a cloud-hosted solution, where you don't require any NAT at all, and engineer the problem out of existence.

BUGS_BYTE
Comes here often

The issue is in creating the NAT in the first place. Dashboard throws the error when trying "destination IP must be in a  locally configured subnet".

 

This same function would also be beneficial for other services at the branch, so worth some time to figure out.

 

Particularly with the voice service,  the call manager is bundled with other features required to be onsite. Particularly a phone may only register when on the same broadcast domain as the call manager. FYI, The voice solution is Unifi and the product is Dream Machine.

Ok - that must be an extra check they have added.  I have done something similar to this, but a LONG time ago.  I assume you have AutoVPN configured already, so the remote subnet is in the local routing change.

 

You could try opening a case with support, and seeing if this is a check they can disable for you (stop NAT checking to see if the destination is a local host).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels