Meraki-MX400 Behind Palo Alto NAT issue

BinTN
Conversationalist

Meraki-MX400 Behind Palo Alto NAT issue

We are migrating an ASA to a Palo Alto firewall with an MX-400 behind it. I created a bi-directional NAT on the Palo which is identical from the ASA. This NAT is for the Meraki-VIP. There are also 2 physical IP's on the Meraki as well. The Meraki has the public NAT IP and port 1000 for the site-to-site VPN setup. I also have a outside-to-inside ACL on the Palo that allows traffic to hit the Merak-VIP on udp-10000.

 

We have tried this 2 two times with a vendor firewall engineer and once with Palo support on the phone for 4 hours and could never get it to register properly.

6 Replies 6
Steinbep
Getting noticed

BinTN-

 

I have this setup in my environment.  Send me a PM and I can try to set some time to help get you setup on the PAN side. 

 

I assume that since you have this behind another firewall you are running it as a Hub, correct? 

 

 

BinTN
Conversationalist

I just sent you a PM. Thanks.
PhilipDAth
Kind of a big deal
Kind of a big deal

Is there an ACL limiting traffic from inside to outside?

 

You can check out the needed firewal rules from the Meraki dashboard under Help/Firewall Info (on the top right hand corner).

BinTN
Conversationalist

The correct ACL's are in place. I believe it's something off with the NAT.

randhall
Getting noticed

Definitely not my strong suit and I'm not sure I'm following you, but...

 

Check the applicability of the Local Identification and/or Peer Identification fields in the General tab of your IKE Gateway config. 

Nick78
New here

I am doing something similar and 75% of my tunnels will register and the others will not no matter how many reboots I do and in what order.  Were you able to get this working?

Get notified when there are additional replies to this discussion.