How Cisco Meraki MX "1:Many NAT" works?

Updated: Jan 13

Traffic from the outside that matches a 1:Many NAT rule will be forwarded to the internal host just like a port forward. Return traffic for that flow will be mapped back to the "Public IP" of the 1:Many NAT rule. That said, flows originating from the LAN side of the MX will never be mapped to the "Public IP" of a 1:Many NAT rule regardless of the rules criteria. LAN initiated flows will always be mapped to the WAN/VIP unless the host is on a 1:1 NAT mapping.

Consider the following:

Host A <--WAN--> MX100 <-LAN--> Host B

MX WAN 1.1.1.1

MX 1:Many Public 1.1.1.2

If the MX has a 1:Many NAT rule that forwards TCP port 22 received on 1.1.1.2 to Host B on port 22, an SSH session from outside to 1.1.1.2 would flow through to Host B as expected and return traffic for said session would be mapped to 1.1.1.2 on the outbound.

That said, if host B went to SSH into Host A, that flow would be NATed like any other flow and come from 1.1.1.1 from the perspective of Host A.

22 views

Recent Posts

See All