topic Re: Question On NAT Configuration in General Topics

Question On NAT Configuration

MadanSudhindra — Thu, 27 Nov 2014 06:47:52 GMT

Hello All,

I have a PA-200 at home, sitting behind a Comcast modem, that hands out a single DHCP address.

I also have a Meraki Z1 VPN device associated with work, that I have behind the PA-200.

The Meraki requires that the source port not be translated, when attempting to contact the Meraki cloud concentrator.

The Defualy Source NAT gives me an error like this on the Meraki service end - "NAT Type: Unfriendly". Here is Meraki's troubleshooting document explaining the issue - Troubleshooting Automatic NAT traversal VPN Registration - Cisco Meraki KB - Meraki Dashboard

Any pointers on how I can successfully configure the PA-200 to pass the Meraki traffic without changing the source port, while allowing all my other home internet traffic to go through ?

Thanks,

Madan

Re: Question On NAT Configuration

_slv_ — Thu, 27 Nov 2014 07:25:54 GMT

Hello

I have meraki AP and I didnt experience any problem with NAT.

Please create security policy from IP_of_Meraki to Untrust with aplication any, service any that will allow traffic and after few hours/minuts You can go to traffic and filter traffic from this rule to see what apllication is needed.

In my scenario it is:

Regards

Slawek

Re: Question On NAT Configuration

HULK — Thu, 27 Nov 2014 08:15:37 GMT

Hello MadanSudhindra,

You may configure a separate NAT policy for VPN peer address, without port translation.

For example:

DHCP address on the PAN interface= 1.1.1.1 (untrust)

VPN peer public address =2.2.2.2

Create a NAT policy only for Meraki traffic and place this on the top of the policy table.

Hope this helps.

Thanks

Re: Question On NAT Configuration

MadanSudhindra — Thu, 27 Nov 2014 17:58:29 GMT

Hi HULK

When I try to use Dynamic IP type NAT, I have to specify a definite address. In my case, the address is handed out by Comcast's DHCP.

I tried defining a static with an address as a FQDN derived address, but NAT cannot use a FQDN type address when defining a static or a Dynamic IP NAT. It has a be a pre-defined value.

Hope this helps.

Re: Question On NAT Configuration

MadanSudhindra — Thu, 27 Nov 2014 17:59:27 GMT

Hello slv

I already have such a rule defined. It basically allows my home network IP address range to get out to the internet.

Re: Question On NAT Configuration

HULK — Thu, 27 Nov 2014 19:48:26 GMT

Hello MadanSudhindra,

Don't use FQDN name, use the address assigned by the DHCP server in a static form.

Thanks

Re: Question On NAT Configuration

HULK — Thu, 27 Nov 2014 20:01:21 GMT

But, that would be "dynamic IP and port" not "dynamic IP only"...?

THanks

Re: Question On NAT Configuration

MadanSudhindra — Thu, 27 Nov 2014 22:34:12 GMT

Hello @HULK,

That is something I can try.

I'll try it and let you know.

Thanks,

Madan

Re: Question On NAT Configuration

MadanSudhindra — Sun, 30 Nov 2014 20:08:02 GMT

Hello HULK,

I tried this, creating a Dynamic IP type NAT for the Meraki Device (for outbound service UDP 9350), while maintaining the Dynamic IP and Port type NAT for the rest of my traffic.

But once I committed the configuration, the firewall stopped passing traffic altogether.

I substituted the Dynamic IP NAT type, with a Static NAT and the same criteria, but the same issue continued.

Re: Question On NAT Configuration

HULK — Mon, 01 Dec 2014 06:22:45 GMT

Hello Madan,

Did you mention specific source and destination IP address on that new NAT policy...? Ideally, this NAT policy should not impact your other traffic.

Thanks

Re: Question On NAT Configuration

MadanSudhindra — Wed, 03 Dec 2014 06:39:27 GMT

Hello HULK,

Here is a screenshot of my NAT Policy -

I had to edit the NAT policy to all apply to traffic from the outside interface of the Meraki, as applying this to only port UDP 9350, will make everything appear OK on the Meraki portal, but wont create the VPN tunnels.