Source NAT for VPN traffic @ Branch office

Mahadevan
Conversationalist

Source NAT for VPN traffic @ Branch office

I am using MX 84 appliance for my branch office connectivity and established site to site VPN with HO, We are trying to collect few operational details from branch end projector to HO server through SNMP. The problem is projector is not supporting routing.. It responds to any traffic from same IP segment but not from other ip segments. confirmed the same by enabling local L3 routing. 

 

Can I do source NAT @branch MX 84 device to make sure the traffic hits projector from same IP segment.

16 Replies 16
cmr
Kind of a big deal
Kind of a big deal

@Mahadevan What is the projector model, it sounds like there is no default gateway set. Can you ping it from a remote subnet? I haven't seen an IP capable device where you cannot set a gateway for a long time but perhaps this is a very old device?

Mahadevan
Conversationalist

We are giving the gateway address at the projector end.. Please find the projector details

 

Make : Christie 

Model : CP4325-RGB

cmr
Kind of a big deal
Kind of a big deal

Can you ping the projector from its own subnet?

Can you ping it from a different subnet?

 

Mahadevan
Conversationalist

Can you ping the projector from its own subnet?

Yes

 

Can you ping it from a different subnet?

Nope

 

I have followed all this basic tshooting and then only posted this query.. 

cmr
Kind of a big deal
Kind of a big deal

Did you follow the instructions below and did you choose manual, if so what do you have for the first 3 and what are the equivalent on your router/firewall/L3 switch?

 

1. Connect the Ethernet cable from the theater network to the Management port on the input
panel.
2. In the left navigation menu, tap Service Setup > Network Settings.
3. In the Port list, tap Management.
4. Enter the network settings:
• To obtain the network settings automatically, tap Automatic.
• To enter the settings manually, tap Manual and complete these fields:
Field Description
IP Address The IP address of the projector.
Subnet Mask The subnet mask to which the IP address belongs.
Gateway The IP address for the network gateway.
Primary DNS The IP address of the primary DNS server.
Secondary DNS The IP address of the secondary DNS server.
5. Tap Save.

Mahadevan
Conversationalist

@cmr Hi, As suggested by TAC upgraded the firmware to 15.7 Beta and Meraki product team enabled the feature in my console. Now I can enable source NAT at my local interface. Refer the attachments.

 

NAT Execptions.JPGSource NAT.JPG

 

 

Due to the problematic device non availability we could not able to test the same. But how it works.. I have applied source NAT in my VLAN and my expectation is to NAT the traffic which is coming from other site VPN to my local LAN, Anyhow it can work opposite also . . It can NAT my LAN IP into MX interface IP and send it to other VPN sites.. If it works in the 2nd way i will not get solution. Any thoughts.

whistleblower
Building a reputation

Hi,

is Source-NAT already officially released or a hidden/BETA feature? Unfortunately I could‘nt find some documentation about it?!

bobbymcneill
Comes here often

I'm also interested in this...did you ever receive an answer?

PhilipDAth
Kind of a big deal
Kind of a big deal

If it is not the default gateway perhaps the subnet mask is wrong.  It is almost certainly one of those two.

 

To answer your orginal question, no you can not do SNAT.

Mahadevan
Conversationalist

@PhilipDAth Hi, As suggested by TAC upgraded the firmware to 15.7 Beta and Meraki product team enabled the feature in my console. Now I can enable source NAT at my local interface. Refer the attachments

 

NAT Execptions.JPGSource NAT.JPG

 

Due to the problematic device non availability we could not able to test the same. But how it works.. I have applied source NAT in my VLAN and my expectation is to NAT the traffic which is coming from other site VPN to my local LAN, Anyhow it can work opposite also . . It can NAT my LAN IP into MX interface IP and send it to other VPN sites.. If it works in the 2nd way i will not get solution. Any thoughts.

JosRus
Meraki Employee
Meraki Employee

As this is being referenced in cases currently, I'd like to clarify the following:

 

"Disable NAT per uplink" is known as No-NAT, and this is a beta feature that isn't fully supported yet, as it is still undergoing internal testing and improvements. We do not recommend beta features for production environments, however, if your deployment requires the use of this feature, we recommend testing in a lab environment first.

 

"Source NAT" is currently not a supported feature, and will not function as intended, as it is also undergoing internal stability and performance testing at this time. We cannot recommend the use of this feature currently.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
pesos
Conversationalist

Hello JosRus, what is the status of source nat now 6 months later?

JosRus
Meraki Employee
Meraki Employee

The Source NAT feature is currently still considered Beta and under continued development. We have a lot of features being worked on and at times some need to take precedence over others.
As we aim to release features that are ready for implementation in your networks, source NAT is at the moment not recommended for production environments.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
MK2
Building a reputation

I'am still discussing with support about this topic and wondering why most other vendors have a "complete NAT solution" implemented in their solutions. I don't want to install a Sophos in an Meraki-ONLY environment because NAT is only implemented in basic manner.

MK2
Building a reputation

unfortunately nothing seems to have happened yet. unfortunately i have another customer who needs internal nat (between VLANs) and i can't offer him MX now.
or does anyone else here have an idea?

ITSDigital
Conversationalist

Source NAT would be a super handy feature we could use. Hopefully it's still on the dev todo list.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels