Question On NAT Configuration

Reply
Highlighted
L1 Bithead

Question On NAT Configuration

Hello All,

I have a PA-200 at home, sitting behind a Comcast modem, that hands out  a single DHCP address.

I also have a Meraki Z1 VPN device associated with work, that I have behind the PA-200.

The Meraki requires that the source port not be translated, when attempting to contact the Meraki cloud concentrator.

The Defualy Source NAT gives me an error like this on the Meraki service end - "NAT Type: Unfriendly". Here is Meraki's troubleshooting document explaining the issue - Troubleshooting Automatic NAT traversal VPN Registration - Cisco Meraki KB - Meraki Dashboard

Any pointers on how I can successfully configure the PA-200 to pass the Meraki traffic without changing the source port, while allowing all my other home internet traffic to go through ?

Thanks,

Madan

Highlighted
L4 Transporter

Hello

I have meraki AP and I didnt experience any problem with NAT.

Please create security policy from IP_of_Meraki to Untrust with aplication any, service any that will allow traffic and after few hours/minuts You can go to traffic and filter traffic from this rule to see what apllication is needed.

In my scenario it is:

2014-11-27_082350.png

Regards

Slawek

Highlighted
L7 Applicator

Hello MadanSudhindra,

You may configure a separate NAT policy for VPN peer address, without port translation.

For example:

DHCP address on the PAN interface= 1.1.1.1 (untrust)

VPN peer public address =2.2.2.2

Create a NAT policy only for Meraki traffic and place this on the top of the policy table.

NAT-vpn.JPG

NAT-vpn-1.JPG

Hope this helps.

Thanks

Highlighted
L1 Bithead

Hi HULK

When I try to use Dynamic IP type NAT, I have to specify a definite address. In my case, the address is handed out by Comcast's DHCP.

I tried defining a static with an address as a FQDN derived address, but NAT cannot use a FQDN type address when defining a static or a Dynamic IP NAT. It has a be a pre-defined value.

Hope this helps.

Highlighted
L1 Bithead

Hello slv

I already have such a rule defined. It basically allows my home network IP address range to get out to the internet.

Highlighted
L7 Applicator

Hello MadanSudhindra,

Don't use FQDN name, use the address assigned by the DHCP server in a static form.

Thanks

Highlighted
L7 Applicator

But, that would be "dynamic IP and port" not "dynamic IP only"...?

THanks

Highlighted
L1 Bithead

Hello @HULK,

That is something I can try.

I'll try it and let you know.

Thanks,

Madan

Highlighted
L1 Bithead

Hello HULK,

I tried this, creating a Dynamic IP type NAT for the Meraki Device (for outbound service UDP 9350), while maintaining the Dynamic IP and Port type NAT for the rest of my traffic.

But once I committed the configuration, the firewall stopped passing traffic altogether.

I substituted the Dynamic IP NAT type, with a Static NAT and the same criteria, but the same issue continued.

Highlighted
L7 Applicator

Hello Madan,

Did you mention specific source and destination IP address on that new NAT policy...? Ideally, this NAT policy should not impact your other traffic.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!