How to connect a device to the MX84 with its own Public IP address
We recently purchased a MX84 and configured it simply as a firewall routing internet traffic out. Nothing coming in.
Now we have a need to connect a Cisco 800 device to our network. This will provide a secure VPN connection direct to our client. They have provided the device. They say it needs it's own public IP address. We have a new static IP from our ISP for it.
I'm confused how this will connect! Here's some explanation of our setup:
Our internet connection comes via a fibre connection, with a RJ45 connector going into Port 1(Internet) or the MX84.
The WAN/Public address on the MX84 is set to xx.xx.xx.106. The gateway is set to xx.xx.xx.105. (105 being the fibre router)
There is no VLAN setup, but a single LAN network covering the remaining ports on the MX84
I now need to add the Cisco 800 to the mix. The WAN port on the 800 to have ip xx.xx.xx.107. How do I connect this up to the MX84 given that all the other ports are LAN with a different IP network range (internal IPs).
I think I need to create a VLAN but am struggling to find documentation on how to do this for our scenario.
To get your Cisco 800 series connected through your MX, I believe the best way would be to use a 1:1 NAT under the Security appliance > Firewall > 1:1 NAT section. There you can plug in the public IP that you want to use to reach your device and that devices internal IP. Creating a VLAN for the appliance to use (and possibly your VPN clients connecting to it) may make it easier to control the traffic of your VPN clients once connected. I guess this would depend on configuration and the business need.
Re: How to connect a device to the MX84 with its own Public IP address
Like @WadeAlsup said, you need use 1:1 NAT feature on the MX.
First create a VLAN that will be used on the MX connecting to the Cisco 800. Use a subnet you will use only for that device. Set MX IP address and the 800 to have the WAN port on the same subnet, with next hop to be the MX. On the MX's port to the 800, change it to be access port with the VLAN you want.
On the 1:1 NAT, use the public WAN IP address that you need for the 800 router and point to the internal LAN IP address of the 800's WAN port. You should now have access from the outside to inside through the MX.
Depending on the client's network needs, if they need access to your network, it may require static routing set up on the MX.
Find my post helpful? Please give me a kudo! CCNP Certified and Meraki Operator