Meraki

jmacd · ‎Dec 28 2022

I was wondering if anyone else has ran into this issue before:

We just recently deployed an MX250 pair, along with the deployment of the Umbrella SIG Tunnels for SSL Decrypt among other services. Within this site we are hosting exchange and citrix. The MX holds the 1:1 Nat's. However with the SIG Tunnels active the 1:1 Nat's do not function as intended. We get asymmetric routing. Basically - Traffic comes in fine as expect (Wan1) - However when the server replies the return traffic is being sent out the SIG Tunnel and fails, and user gets page not found. Short from disabling the subnet from the VPN, we are unable to bypass the SIG Tunnels. Disabling isn't an option as this would not allow the subnet to utilize the SSL Decrypt and other policies from SIG.

Thanks in advance.

ww · ‎Dec 28 2022

Yes that sounds like a problem you could expect if you have a default route in your vpn. Maybe you can work something out using tunnel exclusions

You could also look if you really need the nat or that you can solve it using vpn tunnels

jmacd · ‎Dec 28 2022

Hi - We have tried the VPN Exclusions, our issue is the exclusions work great for an inside host going out to a known Public IP - The issue is we are going out to an "ANY" address. Example - User at coffee shop hits Company public URL, get translated via MX and then inside IP. IP Server sends traffic back out, though SIG thinks it needs to go out it's tunnel and not the original source. We can't do that with VPN Exclusions.

JozefH · ‎Apr 10 2024

Hey,

have you ever found a solution to this issue, please? I'm facing the same behavior with 1:Many NAT.

Thank you.

Jozef

Meraki

Community

SIG Tunnel and 1:1 Nat

SIG Tunnel and 1:1 Nat