I'm trying to setup a small network of Meraki MX's as SDWAN to see if it makes the management of our branch network a bit easier. I've installed my Hub site, an MX100 in 1 arm mode and have it connected to the Meraki Portal. We are overloading all of our internal devices (PAT) behind the external interface of our Juniper SRX firewall. I've dropped an MX67 at a branch site which is connected via the internet and via our internal MPLS network.
When I set our hub Meraki MX100 as "Hub" in Site-to-site VPN config and my branch as a "Spoke", I can do the configuration, however my Hub Meraki says that it is behind a NAT unfriendly device. My spoke connects to the VPN registry because it's connected directly to the internet via it's WAN1 uplink. I saw that the VPN registry doesn't like to be behind devices that do port randomization and that there is an option to do Manual Port Forwarding and lock down the IP/Port that the Meraki will be using.
Has anyone got this working through a Juniper SRX and can share the Juniper configuration for this? We only have 1:1 or many:1 translations in our Juniper and I want to know the way that Meraki expects it to happen.
My branch Meraki can also route to the internet via the internal network. Does the WAN2 (internal via MPLS) interface on the branch Meraki also then need it's own static ip/port translation via the external firewall (via internal network) to be able to register that internal interface with the VPN registry to built an SD-WAN tunnel via the internal network? Is it an option to do 1:1 ip/port with the same external address ie Hub uses 172.30.19.50:35200 -> 22.214.171.124:35200, Branch1 uses 10.23.254.1:35300 -> 126.96.36.199:35300, Branch2 10.23.254.5:35310 -> 188.8.131.52:35310 etc?
I don't have any SRX to try and verify how to set things up, but perhaps this KB will help you decide what you need to do?
I'm thinking the second solution presented there might work for you?
For your MPLS question, Meraki actually has a document showing the best way to do this. Since you already have a Hub in one-arm mode this should apply directly to your network.
The easiest way is going to be to create a manual port forward for the hub.
The Juniper feature you're after is persistant NAT. You also need to increase the default number of persistant translations allowed if you have many AutoVPN tunnels through the SRX.
Thanks Owen. Is the NAT persistent a global setting or can this be enabled per rule? I've only seen this as a global option and this isn't something that I would do just for a single service.