I have a PA-200 at home, sitting behind a Comcast modem, that hands out a single DHCP address.
I also have a Meraki Z1 VPN device associated with work, that I have behind the PA-200.
The Meraki requires that the source port not be translated, when attempting to contact the Meraki cloud concentrator.
The Defualy Source NAT gives me an error like this on the Meraki service end - "NAT Type: Unfriendly". Here is Meraki's troubleshooting document explaining the issue - Troubleshooting Automatic NAT traversal VPN Registration - Cisco Meraki KB - Meraki Dashboard
Any pointers on how I can successfully configure the PA-200 to pass the Meraki traffic without changing the source port, while allowing all my other home internet traffic to go through ?
I have meraki AP and I didnt experience any problem with NAT.
Please create security policy from IP_of_Meraki to Untrust with aplication any, service any that will allow traffic and after few hours/minuts You can go to traffic and filter traffic from this rule to see what apllication is needed.
In my scenario it is:
You may configure a separate NAT policy for VPN peer address, without port translation.
DHCP address on the PAN interface= 126.96.36.199 (untrust)
VPN peer public address =188.8.131.52
Create a NAT policy only for Meraki traffic and place this on the top of the policy table.
Hope this helps.
When I try to use Dynamic IP type NAT, I have to specify a definite address. In my case, the address is handed out by Comcast's DHCP.
I tried defining a static with an address as a FQDN derived address, but NAT cannot use a FQDN type address when defining a static or a Dynamic IP NAT. It has a be a pre-defined value.
Hope this helps.
I tried this, creating a Dynamic IP type NAT for the Meraki Device (for outbound service UDP 9350), while maintaining the Dynamic IP and Port type NAT for the rest of my traffic.
But once I committed the configuration, the firewall stopped passing traffic altogether.
I substituted the Dynamic IP NAT type, with a Static NAT and the same criteria, but the same issue continued.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!