Meraki

Community

Site to Site VPN and use another WAN IP to NAT to LAN IP

Sakul
Getting noticed
‎Apr 3 2023 7:59 PM
‎Apr 3 2023 7:59 PM

Site to Site VPN and use another WAN IP to NAT to LAN IP

My client is a supplier for a large US automaker. The automaker requires every suppliers to crate a S2S VPN for its auto sequencing process. Currently my client uses Cisco ASA, and the setup goes like this.

 

Sakul_0-1680576747813.png

 

Now, I am replacing the ASA5505 with Meraki MX75, but I cannot find a way to do the S2S VPN NAT on the Meraki. I have tried the ‘Site to Site VPN Translation’ https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation, but when I tried to translate 210.1.xx.48/28 to 192.168.200.51, it gives me the ‘overlapping VPN subnet ’error. And I think this ‘Site to Site VPN Translation’ does not serve my purpose because the MX will translate all the WAN subnet (I need to only translate one IP). Can anyone shed me some light? Thanks,

0 Kudos
5 Replies 5
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 3 2023 10:59 PM
‎Apr 3 2023 10:59 PM

If the ASA 5505 did the job, I would replace it with a Firepower 1010 (running either FTD or ASA image) for this use case. The MX is quite limited when it comes to extranet VPNs.

0 Kudos
In response to KarstenI
Sakul
Getting noticed
‎Apr 4 2023 7:36 AM
‎Apr 4 2023 7:36 AM

Thanks Karstenl, but the client has already bought the MX with 5 year Adv Sec license 🙂
In fact, the client has been moving to Meraki Full stack, last year they replaced old Switch and AP to Meraki MS, and MR. and this last piece to replace is the MX.
So, I just want to confirm that MX is incapable of doing this 'S2S VPN another WAN IP NAT'? 
by the way, is there a specific term we call this kind of NAT?
Thanks again,

0 Kudos
In response to Sakul
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 4 2023 7:40 AM
‎Apr 4 2023 7:40 AM

with Cisco it is often referred Policy-NAT. 

In response to Sakul
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2023 7:47 AM
‎Apr 4 2023 7:47 AM

Unfortunately it is not possible to do this with MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Sakul
Getting noticed
‎Apr 20 2023 8:17 AM
‎Apr 20 2023 8:17 AM

I end up keeping this 'Policy-NAT VPN' with Cisco ASA, and move everything else to Meraki MX 

Thanks everyone for the suggestion.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.