Sunday, August 18, 2019

Silly Meraki Tricks: LAN Hairpin NAT (Sort of)

Working with Meraki these last two years has led me to discover a few oddities in the way things wrok. Often, these silly little tricks can be used to solve problems, but they also may lead to unintuitive configs. Either way, I don't understand why I haven't posted them here before. You will likely find anything that I post under this moniker something I've already posted about over at the Meraki Community, and I will link over to the full conversation where there is one.

For my first Silly Meraki Trick I will show you how to get a NAT translation for LANtoLAN traffic on an MX appliance.

The Meraki MX appliance will, by default, always NAT traffic moving between WAN and LAN, but it will not NAT between LAN and LAN. However, you can leverage the 1:Many and 1:1 NAT features to simulate a NAT between two LAN networks. To illustrate this I have a Raspberry Pi behind an MX on VLAN 10 with an IP of 192.168.100.5. I then created the following 1:Many NAT rule under Security appliance > firewall:


So then as a test I then SSH'd to the 1:Many IP, which "hairpins" me back to the same Raspberry PI. 



Very cool. So while not quite a true hairpin, it does the exact same thing. 

No comments:

Post a Comment