S2S vpn overlapping subnets - Nat Lan to outside interface

hmc250000
Getting noticed

S2S vpn overlapping subnets - Nat Lan to outside interface

When setting up a site to site VPN with overlapping subnets can you NAT the an internal subnet to the outside interface (or a single public ip address) of the MX appliance on both sides of the VPN (other side is a non Meraki peer)?  Like PAT overloading or many to 1 Natting. Is this possible?

 

192.168.1.0/24 > NAT to outside interface 1.1.1.1 ----Internet-----NAT to outside interface 2.2.2.2 < 192.168.1.0/24

6 REPLIES 6
RomanMD
Building a reputation

Hi, not exactly as you described but somehow similar, is possible, however this will only work with Meraki Auto-VPN. According to documentation, this feature will not work with Non-meraki peers. 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

 

Thanks. I do see the source address and source natted address. Where are the destination address and destination natted address defined? 

Inderdeep
Kind of a big deal
Kind of a big deal

@hmc250000 : Check this one 

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
RomanMD
Building a reputation

Actually, since this is for Auto VPN only, there is no need to define destination addresses.

You only do source NAT, the other end do its own source nat and those subnets should be advertised in the routing table.

192.168.1.1/24 -> translate to 10.0.1.0/24 -> talk to -> 10.0.2.0/24 <- translate to 192.168.1.1/24

 

If you want to have 1:Many source nat, the Port forwarding and NAT might be an option, but I doubt they will source traffic from s2s vpn interface. They are designed by default to source traffic from WAN interfaces.

Therefore, this is is more like to work when you have multiple sites with same IP range connected to a VPN HUB which will only initiate communication with the networks behind HUB but not between them, or networks behind hub will not be able to initiate communication with them.

Forgot to ask, would this work with Meraki MX in a different Organization? 

RomanMD
Building a reputation

No, this will not work.

Two Meraki MXes in different organizations can establish site to site VPN only as Non-Meraki peers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels