topic Re: Meraki behind PA - Unfriedly NAT in General Topics

Meraki behind PA - Unfriedly NAT

Frank_Liebelt — Sun, 12 Nov 2023 00:38:50 GMT

Hello community,

another person with the problem. I know, I know. Finding a solution to this problem is obviously not easy.

I have a problem with a Meraki cluster behind a PA cluster.
The problem is the familiar “Unfriendly NAT”.
I just can't figure out how to configure the PA so that it works. Countless articles on the internet don't help either.
The last one I read was:
https://live.paloaltonetworks.com/t5/general-topics/meraki-behind-pa850-site-to-site-error-unfriendly-nat/m-p/259750#M73626

The setup:
The two Merakis have the IPs 10.10.10.1 and 10.10.10.2. The virtual IP of the WAN1 port is 10.10.10.3. (/29)
On the PA, port 5 is configured with 10.10.10.4.

The PA's WAN is ethernet1/1

The NAT rule on the PA:
Source: LAN
Destination: WAN
Destination IF: ethernet1/1
Source Address: 10.10.10.4/29
Destination Address: Any
Service: Any
Source Translation:
Type: dynamic-ip-and-port
Address Type: Interface Address
Interface: ethernet1/1
IP Address: PA's Public IP
Destination Translation: none

There is a big problem with two locations with the same setup.

No Meraki SD-WAN VPN connections are established between these locations.
All other locations that only have a Meraki as a breakout can connect to the two locations without any problems.

Until recently we still had Sophos and it worked wonderfully. But dismantling the PA cannot be the solution 😉

Re: Meraki behind PA - Unfriedly NAT

Raido_Rattameister — Sun, 12 Nov 2023 01:41:17 GMT

Try to add DNAT for traffic coming from Internet to Meraki.

Although bi-directional setting in NAT policy would do it for you I highly discourage to use it as it is not exactly the same as creating 2 rules (SNAT and DNAT) manually.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal

Re: Meraki behind PA - Unfriedly NAT

Frank_Liebelt — Tue, 21 Nov 2023 13:49:41 GMT

Hello, thank you very much for the help.

I knew the articles, but read them again and tried to build the NATs step by step.
No matter what NAT rule I build, it has 0 hits.

Can you tell me what the SNAT-DNAT rules have to look like in order for it to work?
Maybe mine is correct, but the problem lies somewhere else.

My config:
IP Meraki = 10.10.10.1
IP PA IF6.3321 = 10.10.10.2
IP PA IF1 = 195.300.299.298 (Public)

Zones:
LAN: ethernet1/6.3321
WAN: ethernet1/1

My source NAT rule:
Source Zone: LAN
Destination Zone: WAN
Destination Interface: IP PA IF1
Source Address: IP PA IF6.3321
Destination Address: ANY
Service: UDP_23543
Source Translation: Type: static-ip, Address: 195.300.299.298

My destination NAT rule:
Source Zone: WAN
Destination Zone: WAN
Destination Interface: ANY
Source Address: ANY
Destination Address: 195.300.299.298
Service: UDP_23543
Destination Translation: Type: static-ip, Address: IP Meraki

Both rules have no hits and the Meraki still says Unfriendly NAT.

Re: Meraki behind PA - Unfriedly NAT

TonyDeHart — Thu, 19 Sep 2024 16:11:50 GMT

Was there a solution to this short of dedicating a static address on the outside to the Meraki?