Home > Security Appliances > Networks and Routing > No NAT on MX Security Appliances

No NAT on MX Security Appliances

Overview

In some circumstances, network administrators may have topologies that require network traffic to egress the WAN interface while maintaining the private source address. While it is recommended to rewrite all internal source IPs to protect the internal network, some use cases require internal traffic to maintain the same internal source IP. A typical use case would be a layer 3 MPLS VPNs terminating on a WAN uplink of the MX. The No NAT feature allows for MX appliances to fulfill these use cases.

Feature

In order to provide support for these topologies, the Meraki MX supports No NAT. No NAT will allow the source IP address of a packet received by an MX to remain the same when traversing a specified WAN uplink.

Example

Please see below for example of how No NAT will affect network traffic.

Reference Topology

 

This example will be based on a reference or "base-line" topology. This topology has the following:

  • An MX at the branch or remote location operating in NAT mode. This is labeled as "Branch MX."

    • There are two VLANs at the branch location - VLAN 10 and VLAN 12

    • VLAN 12 is defined as 10.10.10.0/24, with the MX's IP address in the VLAN being 10.10.10.1

    • VLAN 10 is defined as 10.20.30.0/24, with the MX's IP address in the VLAN being 10.20.30.1

  • In addition to the Branch MX, there is another L3 device (PE) upstream from WAN 2 of the NAT mode MX. This is labeled as "PE Device" and has an IP address of 172.16.12.1.

  • There are two branch clients:

    • A VLAN 12 client with IP address 10.10.10.10 and a default gateway of 10.10.10.1

    • A VLAN 20 client with IP address 10.20.30.4 and a default gateway of 10.20.30.1

  • There is also a remote datacenter. Within the datacenter there is:

    • A layer 3 device acting as a L3VPN endpoint in a datacenter. This is labeled as "DC CPE" There is an Auto VPN connection between the VPN Concentrator and the Branch MX.

      • In all scenarios the L3VPN connection is fully operational

      • Datacenter has static routes back to VLAN 12 but not VLAN 20

    • Within the datacenter there is a services subnet of 192.168.1.0/24

    • There is a client within the datacenter services subnet labeled "Datacenter server" with IP address 192.168.1.10

 

The Problem

Within our reference topology, consider the following scenario:

  • The Datacenter server transmits traffic destined for the VLAN 12 client.

 

With our current topology, this traffic will fail. The Datacenter server traffic will fail to reach the client in VLAN 12. This is because the VLAN 12 client is behind a stateful NAT.

 

 

Solution

Within our reference topology, consider the following scenario:

  • The Datacenter server transmits traffic destined for the VLAN 12 client.

  • Traffic sourced from the Datacenter is received on WAN2 of the MX and is forwarded.

  • Client responds to the Datacenter and maintains source IP when traversing WAN2 of MX.

 

Given this configuration, traffic will be follow this process flow:

  1. Datacenter server sends traffic destined for 10.10.10.10. The traffic will be routed within the datacenter to the CPE device. From there it will be forwarded to the provider edge equipment then travel across the MPLS VPN and is received by the Branch MX (Static routes will need to be implemented on the PE device until OSPF or BGP is supported on the WAN interface).

  2. The traffic is then received by the Branch MX. Inbound firewall rules have been disabled so traffic can be forwarded towards the VLAN 12 client.

  3. The VLAN 12 client receives the traffic from the Datacenter server and generates a response. It will respond by sending the traffic to its gateway of 10.10.10.1.

  4. The response from the VLAN 12 client is received on the LAN of the branch MX and is forwarded out WAN 2. The source IP is maintained as 10.10.10.10 and the destination IP is 192.168.1.10.

  5. Traffic is then routed over the MPLS VPN towards the Datacenter server.

 

 

Feature Requirements

In order for this feature to be utilized or configured, the following criteria must be met:

  • Appliance must be running wired-15-4 or later

  • Must be enabled by Meraki support

Configuration

Below is a screenshot taken from a sample MX showing the No NAT feature configuration:

 

 

In the screenshot above you can select two options on No NATing traffic. The first option enables you to disable NAT per uplink. This means that all traffic traversing the WAN interface will maintain the original Source IP address. The second option enables you to disable NAT on a per VLAN basis for each individual uplink. A typical use case for this would be a DMZ VLAN where there are public addresses on Nodes behind the NAT of the appliance. 

 

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 6828

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community