cisco.meraki.meraki_mx_nat – Manage NAT rules in Meraki cloud

Note

This plugin is part of the cisco.meraki collection (version 2.2.1).

To install it use: ansible-galaxy collection install cisco.meraki.

To use it in a playbook, specify: cisco.meraki.meraki_mx_nat.

Synopsis

  • Allows for creation, management, and visibility of NAT rules (1:1, 1:many, port forwarding) within Meraki.

Parameters

Parameter Choices/Defaults Comments
auth_key
string / required
Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
host
string
Default:
"api.meraki.com"
Hostname for Meraki dashboard.
Can be used to access regional Meraki environments, such as China.
internal_error_retry_time
integer
Default:
60
Number of seconds to retry if server returns an internal server error.
net_id
string
ID number of a network.
net_name
string
Name of a network.

aliases: name, network
one_to_many
list / elements=dictionary
List of 1:many NAT rules.
port_rules
list / elements=dictionary
List of associated port rules.
allowed_ips
list / elements=string
Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule, or 'any'.
local_ip
string
Local IP address to which traffic will be forwarded.
local_port
string
Destination port of the forwarded traffic that will be sent from the MX to the specified host on the LAN.
If you simply wish to forward the traffic without translating the port, this should be the same as the Public port.
name
string
A description of the rule.
protocol
string
    Choices:
  • tcp
  • udp
Protocol to apply NAT rule to.
public_port
string
Destination port of the traffic that is arriving on the WAN.
public_ip
string
The IP address that will be used to access the internal resource from the WAN.
uplink
string
    Choices:
  • both
  • internet1
  • internet2
The physical WAN interface on which the traffic will arrive.
one_to_one
list / elements=dictionary
List of 1:1 NAT rules.
allowed_inbound
list / elements=dictionary
The ports this mapping will provide access on, and the remote IPs that will be allowed access to the resource.
allowed_ips
list / elements=string
ranges of WAN IP addresses that are allowed to make inbound connections on the specified ports or port ranges, or 'any'.
destination_ports
list / elements=string
List of ports or port ranges that will be forwarded to the host on the LAN.
protocol
string
    Choices:
  • any ←
  • icmp-ping
  • tcp
  • udp
Protocol to apply NAT rule to.
lan_ip
string
The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.
name
string
A descriptive name for the rule.
public_ip
string
The IP address that will be used to access the internal resource from the WAN.
uplink
string
    Choices:
  • both
  • internet1
  • internet2
The physical WAN interface on which the traffic will arrive.
org_id
string
ID of organization associated to a network.
org_name
string
Name of organization.

aliases: organization
output_format
string
    Choices:
  • snakecase ←
  • camelcase
Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
output_level
string
    Choices:
  • debug
  • normal ←
Set amount of debug output during module execution.
port_forwarding
list / elements=dictionary
List of port forwarding rules.
allowed_ips
list / elements=string
List of ranges of WAN IP addresses that are allowed to make inbound connections on the specified ports or port ranges (or any).
lan_ip
string
The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.
local_port
integer
A port or port ranges that will receive the forwarded traffic from the WAN.
name
string
A descriptive name for the rule.
protocol
string
    Choices:
  • tcp
  • udp
Protocol to forward traffic for.
public_port
integer
A port or port ranges that will be forwarded to the host on the LAN.
uplink
string
    Choices:
  • both
  • internet1
  • internet2
The physical WAN interface on which the traffic will arrive.
rate_limit_retry_time
integer
Default:
165
Number of seconds to retry if rate limiter is triggered.
state
string
    Choices:
  • present ←
  • query
Create or modify an organization.
subset
list / elements=string
    Choices:
  • 1:1
  • 1:many
  • all ←
  • port_forwarding
Specifies which NAT components to query.
timeout
integer
Default:
30
Time to timeout for HTTP requests.
use_https
boolean
    Choices:
  • no
  • yes ←
If no, it will use HTTP. Otherwise it will use HTTPS.
Only useful for internal Meraki developers.
use_proxy
boolean
    Choices:
  • no ←
  • yes
If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
validate_certs
boolean
    Choices:
  • no
  • yes ←
Whether to validate HTTP certificates.

Notes

Note

  • More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.

  • Some of the options are likely only used for developers within Meraki.

  • As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.

  • Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

  • Check Mode downloads the current configuration from the dashboard, then compares changes against this download. Check Mode will report changed if there are differences in the configurations, but does not submit changes to the API for validation of change.

Examples

- name: Query all NAT rules
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
    subset: all
  delegate_to: localhost

- name: Query 1:1 NAT rules
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
    subset: '1:1'
  delegate_to: localhost

- name: Create 1:1 rule
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    one_to_one:
      - name: Service behind NAT
        public_ip: 1.2.1.2
        lan_ip: 192.168.128.1
        uplink: internet1
        allowed_inbound:
          - protocol: tcp
            destination_ports:
              - 80
            allowed_ips:
              - 10.10.10.10
  delegate_to: localhost

- name: Create 1:many rule
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    one_to_many:
      - public_ip: 1.1.1.1
        uplink: internet1
        port_rules:
          - name: Test rule
            protocol: tcp
            public_port: 10
            local_ip: 192.168.128.1
            local_port: 11
            allowed_ips:
              - any
  delegate_to: localhost

- name: Create port forwarding rule
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    port_forwarding:
      - name: Test map
        lan_ip: 192.168.128.1
        uplink: both
        protocol: tcp
        allowed_ips:
          - 1.1.1.1
        public_port: 10
        local_port: 11
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
data
complex
success
Information about the created or manipulated object.

 
one_to_many
complex
success, when 1:many NAT object is in task
Information about 1:many NAT object.

   
rules
complex
success, when 1:many NAT object is in task
List of 1:many NAT rules.

     
portRules
complex
success, when 1:many NAT object is in task
List of NAT port rules.

       
allowedIps
list / elements=string
success, when 1:1 NAT object is in task
List of IP addresses to be forwarded.

Sample:
10.80.100.0/24
       
localIp
string
success, when 1:1 NAT object is in task
Local IP address traffic will be forwarded.

Sample:
192.0.2.10
       
localPort
integer
success, when 1:1 NAT object is in task
Destination port to be forwarded to.

Sample:
443
       
name
string
success, when 1:many NAT object is in task
Name of NAT object.

Sample:
Web server behind NAT
       
protocol
string
success, when 1:1 NAT object is in task
Protocol to apply NAT rule to.

Sample:
tcp
       
publicPort
integer
success, when 1:1 NAT object is in task
Destination port of the traffic that is arriving on WAN.

Sample:
9443
     
publicIp
string
success, when 1:many NAT object is in task
Public IP address to be mapped.

Sample:
148.2.5.100
      uplink
string
success, when 1:many NAT object is in task
Internet port where rule is applied.

Sample:
internet1
 
one_to_one
complex
success, when 1:1 NAT object is in task
Information about 1:1 NAT object.

   
rules
complex
success, when 1:1 NAT object is in task
List of 1:1 NAT rules.

     
allowedInbound
complex
success, when 1:1 NAT object is in task
List of inbound forwarding rules.

       
allowedIps
list / elements=string
success, when 1:1 NAT object is in task
List of IP addresses to be forwarded.

Sample:
10.80.100.0/24
       
destinationPorts
string
success, when 1:1 NAT object is in task
Ports to apply NAT rule to.

Sample:
80
       
protocol
string
success, when 1:1 NAT object is in task
Protocol to apply NAT rule to.

Sample:
tcp
     
lanIp
string
success, when 1:1 NAT object is in task
Local IP address to be mapped.

Sample:
192.168.128.22
     
name
string
success, when 1:1 NAT object is in task
Name of NAT object.

Sample:
Web server behind NAT
     
publicIp
string
success, when 1:1 NAT object is in task
Public IP address to be mapped.

Sample:
148.2.5.100
      uplink
string
success, when 1:1 NAT object is in task
Internet port where rule is applied.

Sample:
internet1
 
port_forwarding
complex
success, when port forwarding is in task
Information about port forwarding rules.

   
rules
complex
success, when port forwarding is in task
List of port forwarding rules.

     
allowedIps
list / elements=string
success, when port forwarding is in task
List of IP addresses to be forwarded.

Sample:
10.80.100.0/24
     
lanIp
string
success, when port forwarding is in task
Local IP address to be mapped.

Sample:
192.168.128.22
     
localPort
integer
success, when port forwarding is in task
Destination port to be forwarded to.

Sample:
443
     
name
string
success, when port forwarding is in task
Name of NAT object.

Sample:
Web server behind NAT
     
protocol
string
success, when port forwarding is in task
Protocol to apply NAT rule to.

Sample:
tcp
     
publicPort
integer
success, when port forwarding is in task
Destination port of the traffic that is arriving on WAN.

Sample:
9443
      uplink
string
success, when port forwarding is in task
Internet port where rule is applied.

Sample:
internet1


Authors

  • Kevin Breit (@kbreit)