Hi
I am looking at migrating a Cisco ASA to Meraki MX 250.
The current connection is ISP providing a managed firewall which is connected to our Cisco ASA. The ISP is natting the public IPs to our private IP on our Cisco ASA, which in turn are natted to internal hosts.
Can I check how I would achieve the same on the Meraki under 1:1 NAT.
The connection is as
Current
ASA ISP Firewall INT ---- ASA Customer Outside INT (in turn natted to internal hosts) - example below
ISP Public 1.1.1.1
Private IP 10.153.164.27 (ASA outside interface)
Internal 10.50.4.18
Proposed
ISP Firewall ---- MX250 Uplink 1 ---- Inside Hosts
The key thing is we need to maintain those IPs from ISP which are being natted. Should I just use the same 1:1 NAT as above. The Uplink Internet 1 IP address will be the same as it was it is on our Cisco ASA Outside Interface
Uplink IP 10.153.164.2
Public IP 10.153.164.27
LAN IP 10.50.4.18
Thanks in advance
Hi Steven,
I'm not sure I follow why it's different before and after.
You have 1 x public IP from the ISP
They hand off a link to you from their manage firewall (on private IP's)
They are doing a 1:1 NAT from the public IP to the private IP of your ASA external interface
You are doing a 1:1 NAT on the ASA from external to internal
You seem to have a second IP in the mix on the proposed MX - like the ISP may be natting multiple public IP's to you perhaps?
Is something changing on that front, or you want to just do like for like?
Cheers,
Tim
Thanks for responding.
What you have summarised there is correct.
The ISP firewall has the Public IP, from their FW appliance to ours hand-off to a static private IP(outside interface). They are then natting multiple public IPs from their firewall to ours.
I guess my question is should I just do the same on the MX:
WAN-IP will become the old ASA Static private IP (connected to the ISP interface)
Now when it comes to natting public IP addresses do I just use 1:1 NAT.
For instance this is our the Cisco ASA
Public Service1.1.1.1 (via the ISP Firewall)
Private IP 2.2.2.2 (natted to a host on our outside interface)
Private IP 3.3.3.3 (natted to a host on the inside network)
Public IP 1.1.1.2 (via the ISP Firewall)
Private IP 2.2.2.3 (natted to a host on our outside interface)
Private IP 3.3.3.4 (natted to a host on the inside network)
Apologies sent this too quick.
We wont be natting the MX IP, only the range of IPs within a subnet which is to be used for those outside services. using this as an example
ISP IP 1.1.1.254
WAN-IP 1.1.1.1
So this is what we want to achieve with the above on the MX.
Thanks
I know that is of no help to you now, but IPV6 would fix all this craziness.
Meraki! Are you listening? This is a use case for IPV6! No Natting!
I don't know if you can 1:1 NAT the IP address on the actual MX WAN interface, but you can 1:1 NAT any other IP address in that subnet that the WAN interface is in (except for the ISP address, of course).
Ah yes, just tried - it won't let you forward that as 1:1.
Cheers,
Tim.
but No-NAT?
I considered using No-NAT but ended up configuring the next device up the line to just pass everything through without NATting.