Meraki behind PA - Unfriedly NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Meraki behind PA - Unfriedly NAT

L1 Bithead

Hello community,

 

another person with the problem. I know, I know. Finding a solution to this problem is obviously not easy.

 

I have a problem with a Meraki cluster behind a PA cluster.
The problem is the familiar “Unfriendly NAT”.
I just can't figure out how to configure the PA so that it works. Countless articles on the internet don't help either.
The last one I read was:
https://live.paloaltonetworks.com/t5/general-topics/meraki-behind-pa850-site-to-site-error-unfriendl...

 

The setup:
The two Merakis have the IPs 10.10.10.1 and 10.10.10.2. The virtual IP of the WAN1 port is 10.10.10.3. (/29)
On the PA, port 5 is configured with 10.10.10.4.

 

The PA's WAN is ethernet1/1

 

The NAT rule on the PA:
Source: LAN
Destination: WAN
Destination IF: ethernet1/1
Source Address: 10.10.10.4/29
Destination Address: Any
Service: Any
Source Translation:
      Type: dynamic-ip-and-port
      Address Type: Interface Address
      Interface: ethernet1/1
      IP Address: PA's Public IP
Destination Translation: none

 

There is a big problem with two locations with the same setup.

No Meraki SD-WAN VPN connections are established between these locations.
All other locations that only have a Meraki as a breakout can connect to the two locations without any problems.

 

Until recently we still had Sophos and it worked wonderfully. But dismantling the PA cannot be the solution 😉

 

 

PA-445 | HA Cluster
3 REPLIES 3

Cyber Elite
Cyber Elite

Try to add DNAT for traffic coming from Internet to Meraki.

Although bi-directional setting in NAT policy would do it for you I highly discourage to use it as it is not exactly the same as creating 2 rules (SNAT and DNAT) manually.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hello, thank you very much for the help.

 

I knew the articles, but read them again and tried to build the NATs step by step.
No matter what NAT rule I build, it has 0 hits.

 

Can you tell me what the SNAT-DNAT rules have to look like in order for it to work?
Maybe mine is correct, but the problem lies somewhere else.

 

My config:
IP Meraki = 10.10.10.1
IP PA IF6.3321 = 10.10.10.2
IP PA IF1 = 195.300.299.298 (Public)

 

Zones:
LAN: ethernet1/6.3321
WAN: ethernet1/1

 

My source NAT rule:
Source Zone: LAN
Destination Zone: WAN
Destination Interface: IP PA IF1
Source Address: IP PA IF6.3321
Destination Address: ANY
Service: UDP_23543
Source Translation: Type: static-ip, Address: 195.300.299.298


My destination NAT rule:
Source Zone: WAN
Destination Zone: WAN
Destination Interface: ANY
Source Address: ANY
Destination Address: 195.300.299.298
Service: UDP_23543
Destination Translation: Type: static-ip, Address: IP Meraki


Both rules have no hits and the Meraki still says Unfriendly NAT.

 

 

PA-445 | HA Cluster

L4 Transporter

Was there a solution to this short of dedicating a static address on the outside to the Meraki?

  • 1883 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!