Meraki

Community

MX75 as router with out NAT, so we can use public IP address on LAN side

Sbutiger
New here
‎May 18 2024 7:11 AM
‎May 18 2024 7:11 AM

MX75 as router with out NAT, so we can use public IP address on LAN side

We were assigned a single public IP  and another block of  /29 IP address by our ISP, need to setup the Meraki to  route traffic (without any restriction, without NAT) so we will be able to use the public IP block on the LAN side.

We have already connected the MX 75 unit via SFP and put the single public IP on the WAN port,  it is now live on the meraki dashback, can anyone advise how I can achieve this?

0 Kudos
11 Replies 11
Ryan_Miles
Meraki Employee
Meraki Employee
‎May 18 2024 7:53 AM
‎May 18 2024 7:53 AM

Create a VLAN on the MX using the /29 subnet.

 

Then use the 1:1 NAT section and enter the public IP in both the Public and LAN IP sections.

 

Screenshot 2024-05-18 at 07.51.53.png

 

There are several past threads on the topic as well. Example, this one.

In response to Ryan_Miles
Sbutiger
New here
‎May 18 2024 9:20 AM
‎May 18 2024 9:20 AM

Many thanks, Ryan, 

 

On the LAN side we will have 3 firewalls and all of them require public IP siting on their WAN Interface

all of the firewall will accept dial up VPN connection from different groups of users. 

 

Can you advise?

 

Thanks

0 Kudos
In response to Sbutiger
Ryan_Miles
Meraki Employee
Meraki Employee
‎May 18 2024 4:14 PM
‎May 18 2024 4:14 PM

Here's an example of what I mean https://docs.google.com/presentation/d/1pMqZk4PKk5VYOqPQqj0-WoYb3cVDjPmzCVfYYBBPBCs/edit?usp=sharing

 

Also, if these are downstream firewalls with public IPs perhaps you can just connect them to the provider edge equipment instead of being behind the MX?

0 Kudos
In response to Ryan_Miles
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 19 2024 2:19 PM
‎May 19 2024 2:19 PM

Ryan's approach is what I would use for a /29 as well.

 

If you have larger blocks you can also open a support case and request NO-NAT be enabled.  Note that this is not compatible with AnyConnect (AnyConnect will stop working).

 

You then get options like this to control NATing:

 

PhilipDAth_0-1716153533910.png

 

0 Kudos
In response to PhilipDAth
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 19 2024 5:34 PM
‎May 19 2024 5:34 PM

I think that NO-NAT doesn't require you to call Support anymore. It is available via the Early Access page

In response to RaphaelL
Ryan_Miles
Meraki Employee
Meraki Employee
‎May 20 2024 7:07 AM
‎May 20 2024 7:07 AM

It has been removed from the EAP page due to issues. It should return soon once resolved.

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 18 2024 11:27 AM
‎May 18 2024 11:27 AM

Do you want to use public IP devices via LAN? Is that right?

 

The MX does automatic NAT so you cannot pass this traffic through it, you need an L2 switch to extend your ISP's interface to the other devices that you intend to configure with your public address block. Even so, a /29 is a small addressing block.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
pdeleuw
Getting noticed
‎May 20 2024 11:14 AM
‎May 20 2024 11:14 AM

You can configure NAT excemption per uplink. This feature is available as beta (Security & SD-WAN > Addressing & VLANs).

0 Kudos
In response to pdeleuw
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 20 2024 11:21 AM
‎May 20 2024 11:21 AM

I know, but I don't see the point in configuring it like this since you can connect the links directly to each device. In my opinion, it is another point of failure.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
pdeleuw
Getting noticed
‎May 20 2024 2:16 PM
‎May 20 2024 2:16 PM

I do not completely understand your point. Why is it another point of failure? You need a routing device without NAT. NAT excemption would achieve this, I think. You can configure a VLAN interface on the LAN side with one address out of the /29 subnet.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎May 19 2024 12:18 PM
‎May 19 2024 12:18 PM

I would use an L3-Switch for this task; for example, a Catalyst c9200cx.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2025 Cisco Systems, Inc.