cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

UDP Port Mapping? - Cisco Meraki VPN issue

Jump to solution

Attempting to setup a Cisco Meraki VPN behind our Checkpoint appliance running R77.30.  The Meraki uses UDP hole-punching to establish the VPN.  We have firewall rules  in place to allow all traffic to and from the Meraki, these are working.   The Meraki device behind our firewall is configured with static NAT. 

The meraki can talk to the other meraki device outside of our network, but it cannot establish the VPN connection.  following error is reported: 

NAT type: Unfriendly. The appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rules.

Meraki troubleshooting documentation states the following cause and solutions:  

Cause:

In this example the upstream firewall rewrites the source port for each outbound connection differently. Notice that the first connection is changed to port 56125 while the second is instead 56126. When the registry servers see different source ports, the NAT unfriendly error will appear:

Shouldn't static NAT eliminate this issue?  Doesnt static NAT maintain the original source ports (UDP in this case)?

1. If using a load balancer, or NAT across multiple public IP addresses, map traffic from the internal address of the appliance to a single public IP address. This will keep the public IP address seen by the VPN registry consistent.

We are using Static NAT so we should be good here.

2. Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625). Manually create a port mapping on the upstream firewall that will forward all traffic received on a specific public IP and port to the internal address of the appliance on the selected port. In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

Looking at the above bolded part regarding manually creating a port mapping.  How is this done on the Checkpoint?  Would a NAT rule be the ideal way where the source service and destination service are both set to this "arbitrary" port number?

Thanks

 

 

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Pearl

Re: UDP Port Mapping? - Cisco Meraki VPN issue

Jump to solution

Let's try to figure this one out.

Some things in the quoted document are unclear. In the first paragraph, the reference made to the outbound traffic:

In this example the upstream firewall rewrites the source port for each outbound connection differently.

While in the third one, to the inbound:

Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625).

 

This being said, provided that you can create the custom UDP service:

or, if this will prove insufficient, you can try:

create manual NAT rule on top of your NAT policy siting source and destination service of Meraki_VPN and destination IP of the MX(Valid IP) and its translated destination of MX' private IP or actual object.

Then proceed with the instructions you have pasted in your original post:

In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

0 Kudos
3 Replies
Vladimir
Pearl

Re: UDP Port Mapping? - Cisco Meraki VPN issue

Jump to solution

Let's try to figure this one out.

Some things in the quoted document are unclear. In the first paragraph, the reference made to the outbound traffic:

In this example the upstream firewall rewrites the source port for each outbound connection differently.

While in the third one, to the inbound:

Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625).

 

This being said, provided that you can create the custom UDP service:

or, if this will prove insufficient, you can try:

create manual NAT rule on top of your NAT policy siting source and destination service of Meraki_VPN and destination IP of the MX(Valid IP) and its translated destination of MX' private IP or actual object.

Then proceed with the instructions you have pasted in your original post:

In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

0 Kudos

Re: UDP Port Mapping? - Cisco Meraki VPN issue

Jump to solution

Very helpful response.  Would source port statically map outbound to a single UDP port as stated in the first paragraph: Notice that the first connection is changed to port 56125 while the second is instead 56126.

thanks

0 Kudos
Vladimir
Pearl

Re: UDP Port Mapping? - Cisco Meraki VPN issue

Jump to solution

I do not believe so, but from what I'm reading in the Meraki paragraphs you are quoting, it shouldn't matter:

It looks like each Meraki device is registering its inbound port to the cloud service and that is what the rest of the participants are looking at.

0 Kudos