Solved: Site to Site VPN NAT

james.arscott85 · ‎08-12-2017

Hi All

Bit of an odd one. I have a requirement to create a site to site IPSEC VPN. Our internal LAN range is 10.0.0.0/24. We are connecting to a network that has an internal range of 15.0.0.0/8. We are using a Meraki on our side going to a Cisco VPN Concentrator. We are able to create the VPN uplink fine, and traffic flows OK. However, the team on the other end would like all traffic from our network to not show our internal address of 10.0.0.0 but to show an address of 15.15.15.15 instead. Now obviously we don't have ownership of this address, but they are essentially assigning us this address so that all our traffic on their LAN shows as 'our' IP they have given us. The other end is in a different country and is looked after by a different company. I have never come across this sort of setup before, but they have assured us this is how they usually do things. I am at a real loss as to how or indeed what on earth I would configure to try and do this. Has anyone come across this before, and does anyone have any ideas where I would configure this?

Thank you in advance.

James

Jon Marshall · ‎08-12-2017

James

If they have assigned you just that IP address then it must be your side only that initiates the connection.

If so you need to NAT all your IPs to that IP address and then your VPN must refer to that IP address when you setup the encryption domains ie. the local and remote network part of the VPN.

With VPNs between different companies you often do NAT at one end or both although I have not done it where the remote end assigned an IP from their range but it should work as long as they setup their routing correctly.

Jon

View solution in original post

Jon Marshall · ‎08-12-2017

James

If they have assigned you just that IP address then it must be your side only that initiates the connection.

If so you need to NAT all your IPs to that IP address and then your VPN must refer to that IP address when you setup the encryption domains ie. the local and remote network part of the VPN.

With VPNs between different companies you often do NAT at one end or both although I have not done it where the remote end assigned an IP from their range but it should work as long as they setup their routing correctly.

Jon

james.arscott85 · ‎08-12-2017

Hi Jon

Thank you for your swift reply. OK that makes some sense, NAT before the VPN. It will be our side that initiates the connection so that is also fine. However I am still slightly confused about the settings I will need to update. At the moment my policy states my internal ip range for local addresses and their range for remote addresses. I imagine there is somewhere else I need to look to tell it to use the assigned IP instead? I know that this isn't a Meraki forum but even on a standard Cisco device where would I look?

Thank you very much for your time.

James

Jon Marshall · ‎08-12-2017

On a Cisco device you usually use an acl to define the interesting traffic ie. the local IPs and the remote IPs.

So it this you would update and your local IP is now the one they assigned to you.

In other non Cisco devices you often see the terms encryption domains to describe the same thing.

Jon

james.arscott85 · ‎08-12-2017

Hi Jon

Just been using what you wrote as a base for some searches and come across this article explaining about 1:M NAT over a S2S VPN

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Using_Site-to-Site_VPN_Translation

I will have a look at the device and see if I can convince it to try this, like you said it appears to accept any IP to be translated to so it should be fine. Thank you very much indeed for your help, very much appreciated and has stopped the remainder of my hair going grey!

Many Thanks

James

Jon Marshall · ‎08-12-2017

James

No problem, glad to have helped.

Jon