AnsweredAssumed Answered

UDP Port Mapping? - Cisco Meraki VPN issue

Question asked by 5132e064-9dd0-4ac4-b03c-08efaf72f166 on Jan 21, 2019
Latest reply on Jan 21, 2019 by Vladimir Yakovlev

Attempting to setup a Cisco Meraki VPN behind our Checkpoint appliance running R77.30.  The Meraki uses UDP hole-punching to establish the VPN.  We have firewall rules  in place to allow all traffic to and from the Meraki, these are working.   The Meraki device behind our firewall is configured with static NAT. 


The meraki can talk to the other meraki device outside of our network, but it cannot establish the VPN connection.  following error is reported: 

NAT type: Unfriendly. The appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rules.


Meraki troubleshooting documentation states the following cause and solutions:  


In this example the upstream firewall rewrites the source port for each outbound connection differently. Notice that the first connection is changed to port 56125 while the second is instead 56126. When the registry servers see different source ports, the NAT unfriendly error will appear:

Shouldn't static NAT eliminate this issue?  Doesnt static NAT maintain the original source ports (UDP in this case)?


1. If using a load balancer, or NAT across multiple public IP addresses, map traffic from the internal address of the appliance to a single public IP address. This will keep the public IP address seen by the VPN registry consistent.

We are using Static NAT so we should be good here.


2. Select an arbitrary port that will be used for all VPN traffic to this MX (e.g. UDP port 51625). Manually create a port mapping on the upstream firewall that will forward all traffic received on a specific public IP and port to the internal address of the appliance on the selected port. In Dashboard on the Security & SD-WAN > Configure > Site-to-site VPN page use the Manual: Port forwarding option for NAT traversal, and provide the public IP address and port that was configured. All peers will then connect using this IP address and port combination.

Looking at the above bolded part regarding manually creating a port mapping.  How is this done on the Checkpoint?  Would a NAT rule be the ideal way where the source service and destination service are both set to this "arbitrary" port number?