Meraki

Community

VoIP and NAT on MX and CUBE

TimHughSmith
Getting noticed
‎Oct 12 2017 7:45 PM
‎Oct 12 2017 7:45 PM

VoIP and NAT on MX and CUBE

Hi guys,

 

I'm deploying a CUBE SBC hanging off our Meraki MX

What I've found so far is that we can do a 1:1 NAT with the MX, but it has not ALG to handle swapping out the external/internal SIP messages.

CUBE is a beast, and we can write SIP profiles to do this, but I don't really want to manually intervene like that.

 

I'm thinking at the moment, I may just give the CUBE a public IP (same network as outside MX interface) on an outside interface, and then give it an inside interface back into the MX on a DMZ.

 

That solution would work, but I would still rather have the CUBE behind the MX.I don't think I can route inbound traffic through the MX onto a DMZ without using NAT though?

I don't think I can route inbound traffic through the MX onto a DMZ without using NAT though? (I would still want to limit traffic with firewall rules from internet to CUBE)

 

This also just raises the question - can I have a DMZ running public IP's without NAT?

 

Has anyone else tackled this?

Am I missing anything?

 

Cheers,

 

Tim.

 

* EDIT * Just checking to see if I can do a 1:1 NAT with the same Public and LAN IP - i.e. 1.1.1.1 to 1.1.1.1 to achieve the inbound routing?

Labels:
0 Kudos
3 Replies 3
DavidH
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 17 2017 5:31 AM
‎Oct 17 2017 5:31 AM

Hi Tim,

 

Both 1:1 NAT or 1:Many NAT would be options here, depending on how many ports you need to map and whether you need to map connections initiated by CUBE to a specific public address as well. The cleanest way to implement this would be to use a private IP address with CUBE. Would that work, i.e. does CUBE let you configure rules based on public IP addresses while it has a private IP address configured.

 

Cheers,

David

In response to DavidH
TimHughSmith
Getting noticed
‎Oct 17 2017 5:10 PM
‎Oct 17 2017 5:10 PM

Hi David,

 

It would definitely need to be a 1:1 bi-directional NAT, so CUBE uses same address outbound.

I can put SIP profiles onto CUBE that swap the public and private addressing, but it's not a clean option.

 

I have not had a chance to test yet. But I was wondering if we could create a DMZ with public IP's.

I was going to see if I could configure a NAT rule that basically uses the same IP as outside and inside.

I.e. Public ip 1.1.1.1 to Private ip 1.1.1.1

Then I was going to put that 1.1.1.1 in a DMZ.

 

It looked like it let me configure it, but I'm not sure if it will actually work yet.

 

Cheers,

 

Tim.

0 Kudos
In response to TimHughSmith
benny
Getting noticed
‎Jan 10 2018 1:55 PM
‎Jan 10 2018 1:55 PM

Hi Tim,

 

Did the 1:1 Nat with private addresses work for you?

 

I am currently testing a couple MX's in our MPLS environment. So far it seems to be working well, I'm a little skeptical if it is the correct approach. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.