I have a requirement where in we have /29 public subnets in our LAN and we would like it to have accessed from the Internet.
However, the even the public IP configured in LAN port is not reachable from Internet.
Is there any way to achieve this or is it not possible due to Zones issue?
If understand correctly, you can do this. You don't put the public /29 on the LAN side though. You assign one of the usable /29 addresses on the WAN and then use 1:1 NAT to match public IP to private IP.
The security risks should be quite obvious so you would want to consider only allowing access from specific IP ranges if possible. This can be set in the 1:1 NAT rules. I would also put those publicly accessible hosts in a DMZ like: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...
Thanks for your quick response Brandon.
My requirement is quite different. Please find the diagram below where i have tried to explain my requirement. Please Pardon my Paint skills.
It would be great if you could let me know if above scenario is doable in anyway. Appreciate your help!
To disable NAT on the MX you need to run the Beta version 15. But it is still a firewall and you need to allow the incoming connections. I really would change my design as the MX is not really designed for this use-case.
I tried running Beta Version 15 as well, still LAN IP is not reachable.
And i do not see the option to configure Inbound rules.
Could you please assist where do we have to configure Inbound rules?
These are the forwarding rules that are at the bottom of the page. But sadly, I have no idea how to apply them in this usecase. I would first try to configure a couple of 1:1 NATs for all addresses and allow the complete port-range. But as I said, I have no idea if that will work. I still think it is the wrong device for the right job.
You need to open a support ticket and request the NO-NAT feature. You can then say not to use NAT between the VLAN and a VLAN port.
Hi @PhilipDAth Is that something different compared to the function available in version 15? Does that solve the problem of inbound firewall-rules?
Hi @Bruce , We have upgraded FW to Beta version, Disabled NAT However the Public subnets configured on or beyond LAN port is still not reachable from Internet.
The Internet is accessible from LAN.
Is this default feature in Meraki where LAN subnet is not reachable from Internet?
The requirement is really simple. We need LAN subnets to be accessible.
@ArunKonkati is the public IP on the LAN in a different subnet to the public IPs on the MX WANs? It needs to be unless you have the MX in passthrough mode.
Do both WANs know that the public IP subnet you have on the LAN is behind them?
i.e. the service providers who supply the connections need to know that you have another subnet that you want the world to see. Normally they only advertise the ranges provided by them and without that the world will not know your MX LAN subnet exists.
Even with NAT turned off the MX still routes so the outbound traffic works as the MX knows about the LAN subnet.
If you have an MPLS WAN you have to tell the provider what networks you have at each site so their routing core knows where to pass traffic that it doesn't directly see.
I may be wrong as my technical training was in L1/L2, but I'd like to know how it can work otherwise.
@KarstenI That is the only option left for me to test now. Support has disabled NAT however the Inbound Rules still doesn't have anything that can be configured. I am not sure if Inbound rule is supposed to be like this or should it have some options.
@cmr The Public IPs configured on LAN subnet is provided by ISP and they have static route for this subnet pointing towards WAN IP. So yes, WAN knows whereabouts of LAN subnet.
>Hi @PhilipDAth Is that something different compared to the function available in version 15?
You'll still need inbound firewall rules, but NO-NAT allows the traffic to be routed directly through to an internal VLAN.
Hi Arun, I think Brandon's probably got the best way forward for you on this
Create a VLAN that matches the /29 public range you have
Build 1:1 NAT rules that match public IPs to private VLAN IP address (one for each in the subnet that's useable)
The Meraki MX will operate as a NAT device unless you enable NO-NAT beta feature, the above rules will allow inbound traffic to pass the MX Firewall without solicitation.
The ONLY other way to do this with a Meraki would be to combine NO-NAT beta version with the Meraki MX being moved to a Stateless version (through support ticket), to then you'd be responsible for defining all inbound FW rules and allow traffic to pass through without being blocked by the MX.
Be careful if you're using devices behind the MX to build VPNs as well, additional rules would need to be applied to allow ESP through.