Question On NAT Configuration

MadanSudhindra · ‎11-26-2014

Hello All,

I have a PA-200 at home, sitting behind a Comcast modem, that hands out a single DHCP address.

I also have a Meraki Z1 VPN device associated with work, that I have behind the PA-200.

The Meraki requires that the source port not be translated, when attempting to contact the Meraki cloud concentrator.

The Defualy Source NAT gives me an error like this on the Meraki service end - "NAT Type: Unfriendly". Here is Meraki's troubleshooting document explaining the issue - Troubleshooting Automatic NAT traversal VPN Registration - Cisco Meraki KB - Meraki Dashboard

Any pointers on how I can successfully configure the PA-200 to pass the Meraki traffic without changing the source port, while allowing all my other home internet traffic to go through ?

Thanks,

Madan

_slv_ · ‎11-26-2014

Hello

I have meraki AP and I didnt experience any problem with NAT.

Please create security policy from IP_of_Meraki to Untrust with aplication any, service any that will allow traffic and after few hours/minuts You can go to traffic and filter traffic from this rule to see what apllication is needed.

In my scenario it is:

Regards

Slawek

HULK · ‎11-27-2014

Hello MadanSudhindra,

You may configure a separate NAT policy for VPN peer address, without port translation.

For example:

DHCP address on the PAN interface= 1.1.1.1 (untrust)

VPN peer public address =2.2.2.2

Create a NAT policy only for Meraki traffic and place this on the top of the policy table.

Hope this helps.

Thanks

MadanSudhindra · ‎11-27-2014

Hi HULK

When I try to use Dynamic IP type NAT, I have to specify a definite address. In my case, the address is handed out by Comcast's DHCP.

I tried defining a static with an address as a FQDN derived address, but NAT cannot use a FQDN type address when defining a static or a Dynamic IP NAT. It has a be a pre-defined value.

Hope this helps.

MadanSudhindra · ‎11-27-2014

Hello slv

I already have such a rule defined. It basically allows my home network IP address range to get out to the internet.

HULK · ‎11-27-2014

Hello MadanSudhindra,

Don't use FQDN name, use the address assigned by the DHCP server in a static form.

Thanks

HULK · ‎11-27-2014

But, that would be "dynamic IP and port" not "dynamic IP only"...?

THanks

MadanSudhindra · ‎11-27-2014

Hello @HULK,

That is something I can try.

I'll try it and let you know.

Thanks,

Madan

MadanSudhindra · ‎11-30-2014

Hello HULK,

I tried this, creating a Dynamic IP type NAT for the Meraki Device (for outbound service UDP 9350), while maintaining the Dynamic IP and Port type NAT for the rest of my traffic.

But once I committed the configuration, the firewall stopped passing traffic altogether.

I substituted the Dynamic IP NAT type, with a Static NAT and the same criteria, but the same issue continued.

HULK · ‎11-30-2014

Hello Madan,

Did you mention specific source and destination IP address on that new NAT policy...? Ideally, this NAT policy should not impact your other traffic.

Thanks

MadanSudhindra · ‎12-02-2014

Hello HULK,

Here is a screenshot of my NAT Policy -

I had to edit the NAT policy to all apply to traffic from the outside interface of the Meraki, as applying this to only port UDP 9350, will make everything appear OK on the Meraki portal, but wont create the VPN tunnels.

Unlock your full community experience!

Question On NAT Configuration

Question On NAT Configuration

Show your appreciation!