How Cisco Meraki MX "1:Many NAT" works?
Updated: Jan 13, 2022
Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward. Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule. That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria. LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.
Consider the following:
Host A <--WAN--> MX100 <-LAN--> Host B
MX WAN 188.8.131.52
MX 1:Many Public 184.108.40.206
If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 220.127.116.11 to Host B on port 22, an SSH session from outside to 18.104.22.168 would flow through to Host B as expected and return traffic for said session would be mapped to 22.214.171.124 on the outbound.
That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 126.96.36.199 from the perspective of Host A.