So, I had some information not identified to me correctly on the limitations of NAT/Address Translation with the MX Appliances. I had a basic Site to Site connection I had to build with a 3rd party to access their web application with LDAP credentials. Working with Meraki support it took 3 months to resolve because of Address Translation issues. Essentially 3rd party couldn't use the IP Subnet range I was advertising to them. Eventually this was resolved by enabling an experimental feature for IPv4 translation within Security & SD-WAN > Site to Site VPN and setting the subnet that has that specific LDAP server on it to have a different IP Range (example local 10.1.1.0/24 to 192.168.30.0/24). But here is where things become tricky that was one 3rd party Site to Site connection. I have at least 6 more that don't use Meraki gear. They may have Cisco ASA's, Fortinet, Sonicwall etc and since the only NAT I can do is once per subnet I have to align with all my 3rd parties that may be sharing IP space in the same VLAN to all use the same NAT IP Range. So example would be 3rd party vendor 2 accesses 10.1.1.5 and 3rd party vendor 3 accesses 10.1.1.10 but they both use NAT as they cannot use the standard subnet I am advertising. So instead then building a NAT per Site to Site I have to essentially work with both 3rd parties at the same time and PRAY I find a subnet that they can both use so I can assign that as the translation subnet in VPN settings. I've checked with other network engineers and solution architects at other IT Firms, and this is for sure a limitation that they all have ran into. I'm just at this point trying to figure out how I move forward, how to work around this and if anyone has done anything different in similar predicament and how to overcome it.
... View more