Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX 250 NAT 1:1

shlomoi
Here to help
‎Nov 7 2023 5:56 AM
‎Nov 7 2023 5:56 AM

MX 250 NAT 1:1

Hi friends,

We recently connected an MX 250, my ISP assigned me a number of public addresses.
80.178.158.128/28
We use 2   P2P addresses
MX 80.178.158.130 
ISP 80.178.158.129

 

Within our office there is another company that is connected through our line, and they want to connect a FORTI FW

 with a public address for to establishing SITE TO SITE with another FORTI FW
I configured a 1:1 NAT for them with one of my addresses
80.178.158.140.
But there is a problem that they still go out with my PUBLIC address, does anyone have an idea how to solve the problem.

 

 

Thanks

 

 

 

 

0 Kudos
Subscribe
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2023 7:02 AM
‎Nov 7 2023 7:02 AM

Can you share a topology just to be clearer?
 
But just to make it clear, NAT is only inbound and not outbound.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
shlomoi
Here to help
‎Nov 7 2023 12:21 PM
‎Nov 7 2023 12:21 PM

Hi,

The topology is quite simple, MX is connected to an ISP 

MX 80.178.158.130/28
ISP 80.178.158.129/28

6 switches connected  for users with 5 vlans .

 

One of the firm's clients wants to connect FORTI FW to our network with a public  ip address. I assigned him an address 80.178.158.140

And I did NAT 1:1 between
80.178.158.140
10.10.10.9

Now my problem is that the  forti goes out through my public  address
80.178.158.130
And not through the ip  address I assigned him
80.178.158.140

 

 mx 250.PNG

 

 

Thanks 

 

 

0 Kudos
Subscribe
In response to shlomoi
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2023 1:10 PM
‎Nov 7 2023 1:10 PM

It will not work as expected, the NAT on the MX is inbound only, the outbound will still use the MX's WAN IP.

 

It would be easier to connect the carrier link to the Switch and configure the switch port to access a different VLAN and then configure the right public IP on the Fortigate.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 7 2023 2:32 PM
‎Nov 7 2023 2:32 PM

1:1 NAT usually works for outbound as well.  It should be using the 1:1 IP address for the outbound traffic as well.

 

The connection to the ISP - is their a spare port on the ISP device so they could plug their firewall in directly?

0 Kudos
Subscribe
In response to PhilipDAth
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 7 2023 2:52 PM
‎Nov 7 2023 2:52 PM

I partly agree with his statement, but the way he wants to use it (I believe it is as a Gateway for a specific network) it won't work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.