How Cisco Meraki MX "1:Many NAT" works?

Updated: Jan 13

Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward. Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule. That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria. LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.

Consider the following:

Host A <--WAN--> MX100 <-LAN--> Host B


MX 1:Many Public

If the MX has a 1:Many NAT rule that forwards TCP port 22 received on to Host B on port 22, an SSH session from outside to would flow through to Host B as expected and return traffic for said session would be mapped to on the outbound.

That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from from the perspective of Host A.


Recent Posts

See All