Meraki

Community

DMZ on multiple uplinks for failover

Roger_Britz
Conversationalist
yesterday
yesterday

DMZ on multiple uplinks for failover

Hi all,

 

We have created a DMZ on a Meraki MX85, by setting the public static block as a separate VLAN and then adding 1:1 NAT rules to allow remote connections on this VLAN.

There are servers on this VLAN with public IP addresses configured, and with the current setup they are reachable remotely.

The site also has a secondary WAN for Failover, however on the 1:1 NAT you can only specify a single uplink. The ISP has routing in place that will forward the public subnet down to the secondary link in a case where the primary has failed, however the 1:1 NAT rules only allows you to apply them to a single uplink.

 

Is there any way to set it so it will apply to the secondary in a case of failed primary link? Or is there a better way to set this up?

 

Roger

0 Kudos
3 Replies 3
cmr
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Where does it stop you doing the mapping on the second WAN, I can save this config below:

cmr_0-1731347504521.png

 

Charles Rayer | charles@remodi.uk
If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Roger_Britz
Conversationalist
yesterday
yesterday

It's when trying to apply the same 1:1 NAT on both Primary and Secondary.

So using the same Public IP on both rules, it does not allow

In response to Roger_Britz
cmr
Kind of a big deal
Kind of a big deal
14 hours ago
14 hours ago

I can see why that wouldn't work, as 1:1 NAT works both ways, the firewall wouldn't know what the next hop was for outbound traffic from the internal IP.

Charles Rayer | charles@remodi.uk
If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.