1:Many NAT rule outbound traffic not taking Public IP address

Aj1
Comes here often

1:Many NAT rule outbound traffic not taking Public IP address

While am using 1:1 NAT for my exchange server everything is working perfect.

 

When am configuring 1:Many NAT to exchange server SMTP outbound is taking MX 100 Public IP address.

 

Public IP for MX 100:  X.X.X.20

Public IP for Exchange :  X.X.X.21

 

LAN IP for exchange: 192.168.1.6

LAN IP for Email security Gateway: 192.168.1.7

while am configuring 1: many as below

 

X.X.X.21:25 to 192.168.1.7 and all other ports to 192.168.1.6.

outbound traffic is going through X.X.X.20 only.

 

Any solution for this?

9 REPLIES 9
Adam
Kind of a big deal

NAT only effects inbound traffic.  Outbound goes through the WAN IP regardless of your NAT rules. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Aj1
Comes here often

Is there any way to achieve this with meraki?
Adam
Kind of a big deal

I'm brainstorming options for you on this but isn't inbound most important?  Is the outbound traffic causing an issue for you?  Can you please explain what limitation is occurring?  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Aj1
Comes here often

Here Public IP for Exchange :  X.X.X.21 is having reverse dns and MX records for exchange server.

 

So, i need to send SMTP traffic(port 25) on above public address only.

 

Aj1
Comes here often

Here Public IP for Exchange : X.X.X.21 is having reverse dns and MX records for exchange server.



So, i need to send SMTP traffic(port 25) on above public address only.

Adam
Kind of a big deal

Instead of using NAT can you assign the public IP directly to the mail server and have it live in a DMZ?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Aj1
Comes here often

can you please explain more about it?
Adam
Kind of a big deal

Example: if your ISP provider gives you a block public IP's.  The single cable your service delivers would need to connect to a switch using Layer 2.  One way to do this without having to use additional hardware is to just setup a few ports on your Meraki switch with a VLAN that you don't use.  Note:  All the ports would need to be the same VLAN so the traffic stays together.  The cable from the ISP would connect to one of those ports and then one of those ports would go to the MX WAN port to service traffic as it currently does and then another one of those ports would go directly to the server you desire to have a WAN IP.  At that point, you could assign a WAN IP directly to your server.  The traffic will be going direct and not through the MX so you'll want to make sure to lock it down at the host level and also using ACLs if desired.  

 

EDIT:  Then all traffic to/from that server will be the WAN IP.  No NAT necessary.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Hi Adam,

Regarding the issue of natting public IPs in the tunnel.  I have a non-Meraki vendor who will not allow a private IP address for the encryption domain.  This is a one-way tunnel with the vendor sending files to our host. With our existing ASAs we can NAT public IPs inside the tunnel, no problem.  Is this possible with the Meraki MX250?

Thanks,
Eric

Get notified when there are additional replies to this discussion.