- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-11-2023 04:38 PM
Hello community,
another person with the problem. I know, I know. Finding a solution to this problem is obviously not easy.
I have a problem with a Meraki cluster behind a PA cluster.
The problem is the familiar “Unfriendly NAT”.
I just can't figure out how to configure the PA so that it works. Countless articles on the internet don't help either.
The last one I read was:
https://live.paloaltonetworks.com/t5/general-topics/meraki-behind-pa850-site-to-site-error-unfriendl...
The setup:
The two Merakis have the IPs 10.10.10.1 and 10.10.10.2. The virtual IP of the WAN1 port is 10.10.10.3. (/29)
On the PA, port 5 is configured with 10.10.10.4.
The PA's WAN is ethernet1/1
The NAT rule on the PA:
Source: LAN
Destination: WAN
Destination IF: ethernet1/1
Source Address: 10.10.10.4/29
Destination Address: Any
Service: Any
Source Translation:
      Type: dynamic-ip-and-port
      Address Type: Interface Address
      Interface: ethernet1/1
      IP Address: PA's Public IP
Destination Translation: none
There is a big problem with two locations with the same setup.
No Meraki SD-WAN VPN connections are established between these locations.
All other locations that only have a Meraki as a breakout can connect to the two locations without any problems.
Until recently we still had Sophos and it worked wonderfully. But dismantling the PA cannot be the solution 😉
11-11-2023 05:41 PM
Try to add DNAT for traffic coming from Internet to Meraki.
Although bi-directional setting in NAT policy would do it for you I highly discourage to use it as it is not exactly the same as creating 2 rules (SNAT and DNAT) manually.
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal
11-21-2023 05:49 AM
Hello, thank you very much for the help.
I knew the articles, but read them again and tried to build the NATs step by step.
No matter what NAT rule I build, it has 0 hits.
Can you tell me what the SNAT-DNAT rules have to look like in order for it to work?
Maybe mine is correct, but the problem lies somewhere else.
My config:
IP Meraki = 10.10.10.1
IP PA IF6.3321 = 10.10.10.2
IP PA IF1 = 195.300.299.298 (Public)
Zones:
LAN: ethernet1/6.3321
WAN: ethernet1/1
My source NAT rule:
Source Zone: LAN
Destination Zone: WAN
Destination Interface: IP PA IF1
Source Address: IP PA IF6.3321
Destination Address: ANY
Service: UDP_23543
Source Translation: Type: static-ip, Address: 195.300.299.298
My destination NAT rule:
Source Zone: WAN
Destination Zone: WAN
Destination Interface: ANY
Source Address: ANY
Destination Address: 195.300.299.298
Service: UDP_23543
Destination Translation: Type: static-ip, Address: IP Meraki
Both rules have no hits and the Meraki still says Unfriendly NAT.
09-19-2024 09:11 AM
Was there a solution to this short of dedicating a static address on the outside to the Meraki?
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

