cisco.meraki.meraki_mx_nat – Manage NAT rules in Meraki cloud

Note

This plugin is part of the cisco.meraki collection (version 2.2.1).

To install it use: ansible-galaxy collection install cisco.meraki.

To use it in a playbook, specify: cisco.meraki.meraki_mx_nat.

Synopsis

• Allows for creation, management, and visibility of NAT rules (1:1, 1:many, port forwarding) within Meraki.

Parameters

Parameter			Choices/Defaults	Comments
auth_key string / required				Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set.
host string			Default: "api.meraki.com"	Hostname for Meraki dashboard. Can be used to access regional Meraki environments, such as China.
internal_error_retry_time integer			Default: 60	Number of seconds to retry if server returns an internal server error.
net_id string				ID number of a network.
net_name string				Name of a network. aliases: name, network
one_to_many list / elements=dictionary				List of 1:many NAT rules.
	port_rules list / elements=dictionary			List of associated port rules.
		allowed_ips list / elements=string		Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule, or 'any'.
		local_ip string		Local IP address to which traffic will be forwarded.
		local_port string		Destination port of the forwarded traffic that will be sent from the MX to the specified host on the LAN. If you simply wish to forward the traffic without translating the port, this should be the same as the Public port.
		name string		A description of the rule.
		protocol string	Choices: tcp udp	Protocol to apply NAT rule to.
		public_port string		Destination port of the traffic that is arriving on the WAN.
	public_ip string			The IP address that will be used to access the internal resource from the WAN.
	uplink string		Choices: both internet1 internet2	The physical WAN interface on which the traffic will arrive.
one_to_one list / elements=dictionary				List of 1:1 NAT rules.
	allowed_inbound list / elements=dictionary			The ports this mapping will provide access on, and the remote IPs that will be allowed access to the resource.
		allowed_ips list / elements=string		ranges of WAN IP addresses that are allowed to make inbound connections on the specified ports or port ranges, or 'any'.
		destination_ports list / elements=string		List of ports or port ranges that will be forwarded to the host on the LAN.
		protocol string	Choices: any ← icmp-ping tcp udp	Protocol to apply NAT rule to.
	lan_ip string			The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.
	name string			A descriptive name for the rule.
	public_ip string			The IP address that will be used to access the internal resource from the WAN.
	uplink string		Choices: both internet1 internet2	The physical WAN interface on which the traffic will arrive.
org_id string				ID of organization associated to a network.
org_name string				Name of organization. aliases: organization
output_format string			Choices: snakecase ← camelcase	Instructs module whether response keys should be snake case (ex. net_id) or camel case (ex. netId).
output_level string			Choices: debug normal ←	Set amount of debug output during module execution.
port_forwarding list / elements=dictionary				List of port forwarding rules.
	allowed_ips list / elements=string			List of ranges of WAN IP addresses that are allowed to make inbound connections on the specified ports or port ranges (or any).
	lan_ip string			The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.
	local_port integer			A port or port ranges that will receive the forwarded traffic from the WAN.
	name string			A descriptive name for the rule.
	protocol string		Choices: tcp udp	Protocol to forward traffic for.
	public_port integer			A port or port ranges that will be forwarded to the host on the LAN.
	uplink string		Choices: both internet1 internet2	The physical WAN interface on which the traffic will arrive.
rate_limit_retry_time integer			Default: 165	Number of seconds to retry if rate limiter is triggered.
state string			Choices: present ← query	Create or modify an organization.
subset list / elements=string			Choices: 1:1 1:many all ← port_forwarding	Specifies which NAT components to query.
timeout integer			Default: 30	Time to timeout for HTTP requests.
use_https boolean			Choices: no yes ←	If no, it will use HTTP. Otherwise it will use HTTPS. Only useful for internal Meraki developers.
use_proxy boolean			Choices: no ← yes	If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
validate_certs boolean			Choices: no yes ←	Whether to validate HTTP certificates.

Notes

Note

• More information about the Meraki API can be found at https://dashboard.meraki.com/api_docs.

• Some of the options are likely only used for developers within Meraki.

• As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the ANSIBLE_MERAKI_FORMAT environment variable to camelcase.

• Ansible’s Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks.

• Check Mode downloads the current configuration from the dashboard, then compares changes against this download. Check Mode will report changed if there are differences in the configurations, but does not submit changes to the API for validation of change.

Examples

- name: Query all NAT rules
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
    subset: all
  delegate_to: localhost

- name: Query 1:1 NAT rules
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: query
    subset: '1:1'
  delegate_to: localhost

- name: Create 1:1 rule
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    one_to_one:
      - name: Service behind NAT
        public_ip: 1.2.1.2
        lan_ip: 192.168.128.1
        uplink: internet1
        allowed_inbound:
          - protocol: tcp
            destination_ports:
              - 80
            allowed_ips:
              - 10.10.10.10
  delegate_to: localhost

- name: Create 1:many rule
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    one_to_many:
      - public_ip: 1.1.1.1
        uplink: internet1
        port_rules:
          - name: Test rule
            protocol: tcp
            public_port: 10
            local_ip: 192.168.128.1
            local_port: 11
            allowed_ips:
              - any
  delegate_to: localhost

- name: Create port forwarding rule
  meraki_nat:
    auth_key: abc123
    org_name: YourOrg
    net_name: YourNet
    state: present
    port_forwarding:
      - name: Test map
        lan_ip: 192.168.128.1
        uplink: both
        protocol: tcp
        allowed_ips:
          - 1.1.1.1
        public_port: 10
        local_port: 11
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key					Returned	Description
data complex					success	Information about the created or manipulated object.
	one_to_many complex				success, when 1:many NAT object is in task	Information about 1:many NAT object.
		rules complex			success, when 1:many NAT object is in task	List of 1:many NAT rules.
			portRules complex		success, when 1:many NAT object is in task	List of NAT port rules.
				allowedIps list / elements=string	success, when 1:1 NAT object is in task	List of IP addresses to be forwarded. Sample: 10.80.100.0/24
				localIp string	success, when 1:1 NAT object is in task	Local IP address traffic will be forwarded. Sample: 192.0.2.10
				localPort integer	success, when 1:1 NAT object is in task	Destination port to be forwarded to. Sample: 443
				name string	success, when 1:many NAT object is in task	Name of NAT object. Sample: Web server behind NAT
				protocol string	success, when 1:1 NAT object is in task	Protocol to apply NAT rule to. Sample: tcp
				publicPort integer	success, when 1:1 NAT object is in task	Destination port of the traffic that is arriving on WAN. Sample: 9443
			publicIp string		success, when 1:many NAT object is in task	Public IP address to be mapped. Sample: 148.2.5.100
			uplink string		success, when 1:many NAT object is in task	Internet port where rule is applied. Sample: internet1
	one_to_one complex				success, when 1:1 NAT object is in task	Information about 1:1 NAT object.
		rules complex			success, when 1:1 NAT object is in task	List of 1:1 NAT rules.
			allowedInbound complex		success, when 1:1 NAT object is in task	List of inbound forwarding rules.
				allowedIps list / elements=string	success, when 1:1 NAT object is in task	List of IP addresses to be forwarded. Sample: 10.80.100.0/24
				destinationPorts string	success, when 1:1 NAT object is in task	Ports to apply NAT rule to. Sample: 80
				protocol string	success, when 1:1 NAT object is in task	Protocol to apply NAT rule to. Sample: tcp
			lanIp string		success, when 1:1 NAT object is in task	Local IP address to be mapped. Sample: 192.168.128.22
			name string		success, when 1:1 NAT object is in task	Name of NAT object. Sample: Web server behind NAT
			publicIp string		success, when 1:1 NAT object is in task	Public IP address to be mapped. Sample: 148.2.5.100
			uplink string		success, when 1:1 NAT object is in task	Internet port where rule is applied. Sample: internet1
	port_forwarding complex				success, when port forwarding is in task	Information about port forwarding rules.
		rules complex			success, when port forwarding is in task	List of port forwarding rules.
			allowedIps list / elements=string		success, when port forwarding is in task	List of IP addresses to be forwarded. Sample: 10.80.100.0/24
			lanIp string		success, when port forwarding is in task	Local IP address to be mapped. Sample: 192.168.128.22
			localPort integer		success, when port forwarding is in task	Destination port to be forwarded to. Sample: 443
			name string		success, when port forwarding is in task	Name of NAT object. Sample: Web server behind NAT
			protocol string		success, when port forwarding is in task	Protocol to apply NAT rule to. Sample: tcp
			publicPort integer		success, when port forwarding is in task	Destination port of the traffic that is arriving on WAN. Sample: 9443
			uplink string		success, when port forwarding is in task	Internet port where rule is applied. Sample: internet1

Authors

• Kevin Breit (@kbreit)