MX75 as router with out NAT, so we can use public IP address on LAN side

Sbutiger
New here

MX75 as router with out NAT, so we can use public IP address on LAN side

We were assigned a single public IP  and another block of  /29 IP address by our ISP, need to setup the Meraki to  route traffic (without any restriction, without NAT) so we will be able to use the public IP block on the LAN side.

We have already connected the MX 75 unit via SFP and put the single public IP on the WAN port,  it is now live on the meraki dashback, can anyone advise how I can achieve this?

11 Replies 11
Ryan_Miles
Meraki Employee
Meraki Employee

Create a VLAN on the MX using the /29 subnet.

 

Then use the 1:1 NAT section and enter the public IP in both the Public and LAN IP sections.

 

Screenshot 2024-05-18 at 07.51.53.png

 

There are several past threads on the topic as well. Example, this one.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Sbutiger
New here

Many thanks, Ryan, 

 

On the LAN side we will have 3 firewalls and all of them require public IP siting on their WAN Interface

all of the firewall will accept dial up VPN connection from different groups of users. 

 

Can you advise?

 

Thanks

Ryan_Miles
Meraki Employee
Meraki Employee

Here's an example of what I mean https://docs.google.com/presentation/d/1pMqZk4PKk5VYOqPQqj0-WoYb3cVDjPmzCVfYYBBPBCs/edit?usp=sharing

 

Also, if these are downstream firewalls with public IPs perhaps you can just connect them to the provider edge equipment instead of being behind the MX?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

Ryan's approach is what I would use for a /29 as well.

 

If you have larger blocks you can also open a support case and request NO-NAT be enabled.  Note that this is not compatible with AnyConnect (AnyConnect will stop working).

 

You then get options like this to control NATing:

 

PhilipDAth_0-1716153533910.png

 

RaphaelL
Kind of a big deal
Kind of a big deal

I think that NO-NAT doesn't require you to call Support anymore. It is available via the Early Access page

Ryan_Miles
Meraki Employee
Meraki Employee

It has been removed from the EAP page due to issues. It should return soon once resolved.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal

Do you want to use public IP devices via LAN? Is that right?

 

The MX does automatic NAT so you cannot pass this traffic through it, you need an L2 switch to extend your ISP's interface to the other devices that you intend to configure with your public address block. Even so, a /29 is a small addressing block.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
pdeleuw
Getting noticed

You can configure NAT excemption per uplink. This feature is available as beta (Security & SD-WAN > Addressing & VLANs).

alemabrahao
Kind of a big deal
Kind of a big deal

I know, but I don't see the point in configuring it like this since you can connect the links directly to each device. In my opinion, it is another point of failure.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
pdeleuw
Getting noticed

I do not completely understand your point. Why is it another point of failure? You need a routing device without NAT. NAT excemption would achieve this, I think. You can configure a VLAN interface on the LAN side with one address out of the /29 subnet.

KarstenI
Kind of a big deal
Kind of a big deal

I would use an L3-Switch for this task; for example, a Catalyst c9200cx.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.