SIG Tunnel and 1:1 Nat

jmacd
Conversationalist

SIG Tunnel and 1:1 Nat

I was wondering if anyone else has ran into this issue before:

 

We just recently deployed an MX250 pair, along with the deployment of the Umbrella SIG Tunnels for SSL Decrypt among other services. Within this site we are hosting exchange and citrix. The MX holds the 1:1 Nat's. However with the SIG Tunnels active the 1:1 Nat's do not function as intended. We get asymmetric routing. Basically - Traffic comes in fine as expect (Wan1) - However when the server replies the return traffic is being sent out the SIG Tunnel and fails, and user gets page not found. Short from disabling the subnet from the VPN, we are unable to bypass the SIG Tunnels. Disabling isn't an option as this would not allow the subnet to utilize the SSL Decrypt and other policies from SIG.

Thanks in advance.

3 Replies 3
ww
Kind of a big deal
Kind of a big deal

Yes that sounds like a problem you could expect if you have a default route in your vpn.  Maybe you can work something out using tunnel exclusions

 

You could also look if you really need the nat or that you can solve it using vpn tunnels

jmacd
Conversationalist

Hi - We have tried the VPN Exclusions, our issue is the exclusions work great for an inside host going out to a known Public IP - The issue is we are going out to an "ANY" address. Example - User at coffee shop hits Company public URL, get translated via MX and then inside IP. IP Server sends traffic back out, though SIG thinks it needs to go out it's tunnel and not the original source. We can't do that with VPN Exclusions.

Hey,

have you ever found a solution to this issue, please? I'm facing the same behavior with 1:Many NAT.

Thank you.

Jozef

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels