<div dir="ltr"><div class="gmail_quote"><div>The port forwarding only applies to manual NAT traversal. If you use auto NAT traversal, it takes care of that. Because all of the connections are coordinated through the dashboard, the Auto-VPN will typically work even if all nodes are behind NAT. I've used them on the end of Verizon (CG-NAT) connections and they work fine. I have had one instance where three of them were behind the same single IP NAT and the third would fail to connect. We had to get one of them moved to a different NAT IP to solve that.</div><div><br></div><div>If you're looking for a simple to use, easy to manage VPN appliance, the MX (and Z) Meraki products will work. The config is entirely handled through the dashboard, so no-touch, drop ship deployments are an option. You can provide view only access to users per network, so the customer or a first level tech could be given the ability to look but not break anything. </div><div><br></div><div>All of the MX and Z products will work in a single VPN, so you can pick the device that best fits the requirements. For a small office with one or two people, the Z3 works great, it even has one PoE port for an IP phone. For larger sites or the core site, they go up to 6Gb (I think) of throughput for the MX450, with redundant power and uplinks. </div><div><br></div><div>As others have pointed out, they are license based and they don't work without a license, and they are a Cisco product, so pricing will depend on how good your relationship is with your Cisco rep. :) One big caveat: they are still lacking in the IPv6 realm so if that is a requirement, they won't work right now.</div><div>--Rich</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>---------- Forwarded message ----------<br>From: William Herrin <<a href="mailto:bill@herrin.us" target="_blank">bill@herrin.us</a>><br>To: Shawn L <<a href="mailto:shawnl@up.net" target="_blank">shawnl@up.net</a>><br>Cc: "<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>" <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>><br>Bcc: <br>Date: Thu, 10 Feb 2022 10:54:39 -0800<br>Subject: Re: VPN recommendations?<br>On Thu, Feb 10, 2022 at 10:18 AM Shawn L <<a href="mailto:shawnl@up.net" target="_blank">shawnl@up.net</a>> wrote:<br>> Meraki MX series? Dynamic IPs and NATs don't really cause them a problem. Some CGNats do (AT&T I'm looking at you).<br><br>Thanks Shawn,<br><br>The documentation I found at<br><a href="https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings" rel="noreferrer" target="_blank">https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings</a><br>suggests that the NAT firewall has to be explicitly configured to<br>deliver UDP 500/4500 to the Meraki behind it. Are you aware of any<br>documentation that describes:<br><br>LAN - Meraki - NAT (dynaimic IP) - Internet - (static IP) Meraki - LAN<br><br>Where the left-side Meraki is responsible for establishing and keeping<br>the NAT translations alive without any special configuration on the<br>NAT?<br><br>Regards,<br>Bill<br>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><font face="monospace">Rich Greenwood<br>Network Engineer<br></font><div><font face="monospace"><span style="background-color:transparent;color:rgb(0,0,0);white-space:pre-wrap">Shasta County Office of Education</span><br></font></div><div><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="monospace">Information Technology</font></span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="monospace">1644 Magnolia Ave.</font></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="monospace">Redding, CA 96001</font></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font face="monospace">Office: 530-225-0161</font></span></p><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"></p><div style="color:rgb(32,33,36);font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"></div><p></p><div style="color:rgb(32,33,36);font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><font face="monospace">Hotline: 530-225-0279</font></div><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><font face="monospace"><a href="mailto:rgreenwood@shastacoe.org" target="_blank">rgreenwood@shastacoe.org</a><br></font></p><font face="monospace"><br></font><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><span style="border:none;display:inline-block;overflow:hidden;width:107px;height:37px"><font face="monospace"><img src="https://lh6.googleusercontent.com/bQuRd9bOFSBZoD5P8098OeKi2h-EQ7_wjxKrgjLnj_11EHSaq9pfSEsQC7k670anVhENdHBuRV36ohjuvTsma9Jnvqct2eFiGDp4p8HUJt5VtdiNw3inTO-dQb4bdoFXW157CNlU" style="margin-left: 0px; margin-top: 0px;" width="96" height="34"></font></span></span></p></div></div></div></div>