Meraki

Roger_Britz

Hi all,

We have created a DMZ on a Meraki MX85, by setting the public static block as a separate VLAN and then adding 1:1 NAT rules to allow remote connections on this VLAN.

There are servers on this VLAN with public IP addresses configured, and with the current setup they are reachable remotely.

The site also has a secondary WAN for Failover, however on the 1:1 NAT you can only specify a single uplink. The ISP has routing in place that will forward the public subnet down to the secondary link in a case where the primary has failed, however the 1:1 NAT rules only allows you to apply them to a single uplink.

Is there any way to set it so it will apply to the secondary in a case of failed primary link? Or is there a better way to set this up?

Roger

cmr

Where does it stop you doing the mapping on the second WAN, I can save this config below:

If my answer solves your problem please click Accept as Solution so others can benefit from it.

Roger_Britz

It's when trying to apply the same 1:1 NAT on both Primary and Secondary.

So using the same Public IP on both rules, it does not allow

cmr

I can see why that wouldn't work, as 1:1 NAT works both ways, the firewall wouldn't know what the next hop was for outbound traffic from the internal IP.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

Roger_Britz

That makes sense.

Do you perhaps know of a different way to set it up that would work?

I have looked into the NAT exception feature which can work because you can disable NAT on both uplinks, my issue with that though is the customer then loses the Client VPN functionality and can't reach the other VLAN remotely

cmr

Indeed. In not sure you can do this just with a single MX instance. @DarrenOC how would you approach this?

If my answer solves your problem please click Accept as Solution so others can benefit from it.

Meraki

Community

DMZ on multiple uplinks for failover

DMZ on multiple uplinks for failover