Meraki

Community

DMZ on multiple uplinks for failover

Roger_Britz
Conversationalist
‎Nov 11 2024 12:48 AM
‎Nov 11 2024 12:48 AM

DMZ on multiple uplinks for failover

Hi all,

 

We have created a DMZ on a Meraki MX85, by setting the public static block as a separate VLAN and then adding 1:1 NAT rules to allow remote connections on this VLAN.

There are servers on this VLAN with public IP addresses configured, and with the current setup they are reachable remotely.

The site also has a secondary WAN for Failover, however on the 1:1 NAT you can only specify a single uplink. The ISP has routing in place that will forward the public subnet down to the secondary link in a case where the primary has failed, however the 1:1 NAT rules only allows you to apply them to a single uplink.

 

Is there any way to set it so it will apply to the secondary in a case of failed primary link? Or is there a better way to set this up?

 

Roger

0 Kudos
5 Replies 5
cmr
Kind of a big deal
Kind of a big deal
‎Nov 11 2024 9:52 AM
‎Nov 11 2024 9:52 AM

Where does it stop you doing the mapping on the second WAN, I can save this config below:

cmr_0-1731347504521.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Roger_Britz
Conversationalist
‎Nov 11 2024 9:29 PM
‎Nov 11 2024 9:29 PM

It's when trying to apply the same 1:1 NAT on both Primary and Secondary.

So using the same Public IP on both rules, it does not allow

In response to Roger_Britz
cmr
Kind of a big deal
Kind of a big deal
‎Nov 12 2024 12:45 AM
‎Nov 12 2024 12:45 AM

I can see why that wouldn't work, as 1:1 NAT works both ways, the firewall wouldn't know what the next hop was for outbound traffic from the internal IP.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
Roger_Britz
Conversationalist
‎Nov 14 2024 2:13 AM
‎Nov 14 2024 2:13 AM

That makes sense.

Do you perhaps know of a different way to set it up that would work?

I have looked into the NAT exception feature which can work because you can disable NAT on both uplinks, my issue with that though is the customer then loses the Client VPN functionality and can't reach the other VLAN remotely

0 Kudos
In response to Roger_Britz
cmr
Kind of a big deal
Kind of a big deal
‎Nov 16 2024 12:16 AM
‎Nov 16 2024 12:16 AM

Indeed.  In not sure you can do this just with a single MX instance.  @DarrenOC how would you approach this?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.