Can we make public IP on Meraki LAN ports reachable from Internet?

ArunKonkati
Comes here often

Can we make public IP on Meraki LAN ports reachable from Internet?

I have a requirement where in we have /29 public subnets in our LAN and we would like it to have accessed from the Internet.

However, the even the public IP configured in LAN port is not reachable from Internet.

Is there any way to achieve this or is it not possible due to Zones issue?

20 Replies 20
BrandonS
Kind of a big deal

If understand correctly, you can do this.  You don't put the public /29 on the LAN side though.  You assign one of the usable /29 addresses on the WAN and then use 1:1 NAT to match public IP to private IP. 

 

The security risks should be quite obvious so you would want to consider only allowing access from specific IP ranges if possible. This can be set in the 1:1 NAT rules. I would also put those publicly accessible hosts in a DMZ like: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

 

 

- Ex community all-star (⌐⊙_⊙)
ArunKonkati
Comes here often

Thanks for your quick response Brandon.

My requirement is quite different. Please find the diagram below where i have tried to explain my requirement. Please Pardon my Paint skills. 

 

ArunKonkati_1-1604593298372.png

 

  • I would like to use MX only as a Load balancing and Failover.
  • Nat will be done on Existing Firewall and not on Meraki.
  • I must have Public IP Interconnect on LAN interface.

It would be great if you could let me know if above scenario is doable in anyway. Appreciate your help!

KarstenI
Kind of a big deal
Kind of a big deal

To disable NAT on the MX you need to run the Beta version 15. But it is still a firewall and you need to allow the incoming connections. I really would change my design as the MX is not really designed for this use-case.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
ArunKonkati
Comes here often

Thanks Karstenl!

I tried running Beta Version 15 as well, still LAN IP is not reachable.

And i do not see the option to configure Inbound rules. 

ArunKonkati_0-1604596105823.png

 

Could you please assist where do we have to configure Inbound rules?

 

KarstenI
Kind of a big deal
Kind of a big deal

These are the forwarding rules that are at the bottom of the page. But sadly, I have no idea how to apply them in this usecase. I would first try to configure a couple of 1:1 NATs for all addresses and allow the complete port-range. But as I said, I have no idea if that will work. I still think it is the wrong device for the right job.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

You need to open a support ticket and request the NO-NAT feature.  You can then say not to use NAT between the VLAN and a VLAN port.

KarstenI
Kind of a big deal
Kind of a big deal

Hi @PhilipDAth Is that something different compared to the function available in version 15? Does that solve the problem of inbound firewall-rules?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Bruce
Kind of a big deal

Support can enable the inbound firewall in routed mode, as well as enable no-nat as @PhilipDAth said. 

@ArunKonkati How about using the MX in inline mode for this requirement? I haven’t thought it all through, but worth considering in this case.

ArunKonkati
Comes here often

Hi @Bruce , We have upgraded FW to Beta version, Disabled NAT However the Public subnets configured on or beyond LAN port is still not reachable from Internet.

The Internet is accessible from LAN.

Is this default feature in Meraki where LAN subnet is not reachable from Internet?

 

The requirement is really simple. We need LAN subnets to be accessible.

ArunKonkati_0-1604766815767.png

 

cmr
Kind of a big deal
Kind of a big deal

@ArunKonkati is the public IP on the LAN in a different subnet to the public IPs on the MX WANs?  It needs to be unless you have the MX in passthrough mode.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
ArunKonkati
Comes here often

Yes @cmr , the Public IPs are in different subnets.

cmr
Kind of a big deal
Kind of a big deal

Do both WANs know that the public IP subnet you have on the LAN is behind them?

 

i.e. the service providers who supply the connections need to know that you have another subnet that you want the world to see.  Normally they only advertise the ranges provided by them and without that the world will not know your MX LAN subnet exists. 

 

Even with NAT turned off the MX still routes so the outbound traffic works as the MX knows about the LAN subnet.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
KarstenI
Kind of a big deal
Kind of a big deal

I'm still quite convinced that it's all about incoming access-control on the MX.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

If you have an MPLS WAN you have to tell the provider what networks you have at each site so their routing core knows where to pass traffic that it doesn't directly see. 

 

@KarstenI I believe the same applies here as how else would you or I know that @ArunKonkati's public network was behind the two WANs he has?

 

I may be wrong as my technical training was in L1/L2, but I'd like to know how it can work otherwise.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
ArunKonkati
Comes here often

@KarstenI  That is the only option left for me to test now. Support has disabled NAT however the Inbound Rules still doesn't have anything that can be configured. I am not sure if Inbound rule is supposed to be like this or should it have some options.

 

ArunKonkati_0-1604771884076.png

 

KarstenI
Kind of a big deal
Kind of a big deal

Did you also ask support to enable the inbound firewall rules?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

Now I agree with @KarstenI , just wanting to make sure everything else was in order!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
ArunKonkati
Comes here often

@cmr The Public IPs configured on LAN subnet is provided by ISP and they have static route for this subnet pointing towards WAN IP. So yes, WAN knows whereabouts of LAN subnet. 

PhilipDAth
Kind of a big deal
Kind of a big deal

>Hi @PhilipDAth Is that something different compared to the function available in version 15?

 

You'll still need inbound firewall rules, but NO-NAT allows the traffic to be routed directly through to an internal VLAN.

WillN
Getting noticed

Hi Arun, I think Brandon's probably got the best way forward for you on this
Create a VLAN that matches the /29 public range you have
Build 1:1 NAT rules that match public IPs to private VLAN IP address (one for each in the subnet that's useable)

WillN_0-1604964412266.png

The Meraki MX will operate as a NAT device unless you enable NO-NAT beta feature, the above rules will allow inbound traffic to pass the MX Firewall without solicitation. 

The ONLY other way to do this with a Meraki would be to combine NO-NAT beta version with the Meraki MX being moved to a Stateless version (through support ticket), to then you'd be responsible for defining all inbound FW rules and allow traffic to pass through without being blocked by the MX.

Be careful if you're using devices behind the MX to build VPNs as well, additional rules would need to be applied to allow ESP through.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels