08-09-2018 10:46 AM
Hello,
We have a client with 300 branch that use Meraki. These branchs has DSL link on WAN 1 and MPLS on WAN 2.
We have a follow problem.
The meraki send a packet UDP each 10s by interface ip WAN 2, for example 10.200.2.10:3009 , the traffic goes to network MPLS and throght to datacenter of my client and before of out by internet on Palto Alto itself make NAT to public IP, for example 189.7.8.200:32300 to cloud meraki 209.x.x.x.x: 9350 and Meraki Itself register on Meraki with sucessfull. But on next 10s the same packet 10.200.2.10:3009 does the same way and Itself NAT on Palto Alto to same same public IP, 189.7.8.200: 41250 however Palo Alto change source port. Is there any configuration on Palo alto to keep the same source port ?
Thank You
Renato
08-09-2018 12:36 PM
Sounds like you are using Dynamic IP, Dynamic Port on the NAT policy rule.
I would create a new Nat rule above the current policy this traffic is hitting and set it so that it's a straight Static IP; this will prevent the firewall from using a dynamic port and you can ensure that the traffic will always be seen by Meraki as one set IP. You could modify it to just Dynamic IP instead of Dynamic IP and Port and accomplish the same thing; I just like to verify that I know exactly what IP those services will actually come across.
08-10-2018 04:47 AM
Hello,
Thank your feedback.
When dynamic ip was configured, the packet out of Meraki but we can´t see the packet back, so we were configured dynamic ip and ports.
My client has only one Ip Public, no there has a pool ip public to configure because dynamic ip doesn´t working, probably only one branch out to internet and other meraki don´t work.
Renato
08-10-2018 06:52 AM
Did you create - as mentionned by @BPry - the dynamic IP NAT rule above the existing rule with DIPP?
According to cisco the source port does not need to be the same as befire NAT, it only needs to be the same continuously (https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_A...). PaloAlto only changes the NAT source port when the firewall sees a new connection. This means you could also try to create a custom application where you set the timeout really high (even if I don't get why the NAT source port changes in connections when there is traffic every 10 seconds). With an application override rule you then force the traffic to be recognized as your custom application.
08-10-2018 06:59 AM
@Remo pretty much mentioned everything that I would state.
That being said it's an important note here that we aren't saying you should change your current NAT policy to dynamic IP, if you only have a sole IP to work with this would break things as you've already experianced. What we're saying is that a new policy should be created above your current NAT policy to specifically state that the Meraki control traffic should only be NAT'd to the dynamic IP; you don't want to change the source port on this traffic.
The application override rule that was mentioned would also be an option; however I don't think the Meraki should be behind a DIPP policy, so I personally prefer just going with a dynamic IP nat or a static IP nat when applicable.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
