Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jwmac
Participant

UDP Port Mapping? - Cisco Meraki VPN issue

Jump to solution

Attempting to setup a Cisco Meraki VPN behind our Checkpoint appliance running R77.30.  The Meraki uses UDP hole-punching to establish the VPN.  We have firewall rules  in place to allow all traffic to and from the Meraki, these are working.   The Meraki device behind our firewall is configured with static NAT. 

The meraki can talk to the other meraki device outside of our network, but it cannot establish the VPN connection.  following error is reported: 

NAT type: Unfriendly. The appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rules.

Meraki troubleshooting documentation states the following cause and solutions:  

Cause:

In this example the upstream firewall rewrites the source port for each outbound connection differently. Notice that the first connection is changed to port 56125 while the second is instead 56126. When the registry servers see different source ports, the NAT unfriendly error will appear:

Shouldn't static NAT eliminate this issue?  Doesnt static NAT maintain the original source ports (UDP in this case)?

1. If using a load balancer, or NAT across multiple public IP addresses, map traffic from the internal address of the appliance to a single public IP address. This will keep the public IP address seen by the VPN registry consistent.

We are using Static NAT so we should be good here.

2. Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625). Manually create a port mapping on the upstream firewall that will forward all traffic received on a specific public IP and port to the internal address of the appliance on the selected port. In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

Looking at the above bolded part regarding manually creating a port mapping.  How is this done on the Checkpoint?  Would a NAT rule be the ideal way where the source service and destination service are both set to this "arbitrary" port number?

Thanks

 

 

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion

Let's try to figure this one out.

Some things in the quoted document are unclear. In the first paragraph, the reference made to the outbound traffic:

In this example the upstream firewall rewrites the source port for each outbound connection differently.

While in the third one, to the inbound:

Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625).

 

This being said, provided that you can create the custom UDP service:

or, if this will prove insufficient, you can try:

create manual NAT rule on top of your NAT policy siting source and destination service of Meraki_VPN and destination IP of the MX(Valid IP) and its translated destination of MX' private IP or actual object.

Then proceed with the instructions you have pasted in your original post:

In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

View solution in original post

0 Kudos
4 Replies
Vladimir
Champion
Champion

Let's try to figure this one out.

Some things in the quoted document are unclear. In the first paragraph, the reference made to the outbound traffic:

In this example the upstream firewall rewrites the source port for each outbound connection differently.

While in the third one, to the inbound:

Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625).

 

This being said, provided that you can create the custom UDP service:

or, if this will prove insufficient, you can try:

create manual NAT rule on top of your NAT policy siting source and destination service of Meraki_VPN and destination IP of the MX(Valid IP) and its translated destination of MX' private IP or actual object.

Then proceed with the instructions you have pasted in your original post:

In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

0 Kudos
jwmac
Participant

Very helpful response.  Would source port statically map outbound to a single UDP port as stated in the first paragraph: Notice that the first connection is changed to port 56125 while the second is instead 56126.

thanks

0 Kudos
Vladimir
Champion
Champion

I do not believe so, but from what I'm reading in the Meraki paragraphs you are quoting, it shouldn't matter:

It looks like each Meraki device is registering its inbound port to the cloud service and that is what the rest of the participants are looking at.

0 Kudos
CheckYouMates
Explorer

Hey Vladimir,

How to put in source service while creating a manual NAT statement in the NAT policy?

I have a similar problem and the Meraki TAC shared the link to this discussion to refer to for the Checkpoint port mapping.

I have gone through this discussion and this is what I have to say:

Currently we are using source NAT i.e NATting the Meraki MX appliance's IP to a Public IP while it registers to the Meraki Cloud registry.

Currently we are using Hide NAT but as per Meraki TAC we should follow this discussion to do port forwarding on the Checkpoint.

My Question is, if we set a port(service) in the NAT policy statement, that will be for the destination port. i.e the port that the Meraki VPN registry listens on and the source port(service) will be a random port selected by the MX appliance.

If this is true, then we won't solve our original problem by port mapping as the source port(service) that MX selects is what every body else is interested in.

What's just needed here is to do static NAT instead of Hide NAT to solve the problem. isn't it?

Please comment.

0 Kudos