While am using 1:1 NAT for my exchange server everything is working perfect.
When am configuring 1:Many NAT to exchange server SMTP outbound is taking MX 100 Public IP address.
Public IP for MX 100: X.X.X.20
Public IP for Exchange : X.X.X.21
LAN IP for exchange: 192.168.1.6
LAN IP for Email security Gateway: 192.168.1.7
while am configuring 1: many as below
X.X.X.21:25 to 192.168.1.7 and all other ports to 192.168.1.6.
outbound traffic is going through X.X.X.20 only.
Any solution for this?
NAT only effects inbound traffic. Outbound goes through the WAN IP regardless of your NAT rules.
I'm brainstorming options for you on this but isn't inbound most important? Is the outbound traffic causing an issue for you? Can you please explain what limitation is occurring?
Here Public IP for Exchange : X.X.X.21 is having reverse dns and MX records for exchange server.
So, i need to send SMTP traffic(port 25) on above public address only.
Instead of using NAT can you assign the public IP directly to the mail server and have it live in a DMZ?
Example: if your ISP provider gives you a block public IP's. The single cable your service delivers would need to connect to a switch using Layer 2. One way to do this without having to use additional hardware is to just setup a few ports on your Meraki switch with a VLAN that you don't use. Note: All the ports would need to be the same VLAN so the traffic stays together. The cable from the ISP would connect to one of those ports and then one of those ports would go to the MX WAN port to service traffic as it currently does and then another one of those ports would go directly to the server you desire to have a WAN IP. At that point, you could assign a WAN IP directly to your server. The traffic will be going direct and not through the MX so you'll want to make sure to lock it down at the host level and also using ACLs if desired.
EDIT: Then all traffic to/from that server will be the WAN IP. No NAT necessary.
Regarding the issue of natting public IPs in the tunnel. I have a non-Meraki vendor who will not allow a private IP address for the encryption domain. This is a one-way tunnel with the vendor sending files to our host. With our existing ASAs we can NAT public IPs inside the tunnel, no problem. Is this possible with the Meraki MX250?