cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX NAT with 2 Firewalls

Comes here often

MX NAT with 2 Firewalls

Hi

 

I am looking at migrating a Cisco ASA to Meraki MX 250.

 

The current connection is ISP providing a managed firewall which is connected to our Cisco ASA.  The ISP is natting the public IPs to our private IP on our Cisco ASA, which in turn are natted to internal hosts.

 

Can I check how I would achieve the same on the Meraki under 1:1 NAT. 

 

The connection is as 

 

Current

ASA ISP Firewall INT ---- ASA Customer Outside INT (in turn natted to internal hosts)  - example below

 

ISP Public    1.1.1.1            

Private IP    10.153.164.27 (ASA outside interface)

Internal        10.50.4.18       

 

Proposed

ISP Firewall ---- MX250 Uplink 1 ---- Inside Hosts

 

The key thing is we need to maintain those IPs from ISP which are being natted. Should I just use the same 1:1 NAT as above.  The Uplink Internet 1 IP address will be the same as it was it is on our Cisco ASA Outside Interface

 

Uplink IP   10.153.164.2

Public IP   10.153.164.27

LAN IP      10.50.4.18

 

Thanks in advance

7 REPLIES 7
Here to help

Re: MX NAT with 2 Firewalls

Hi Steven,

 

I'm not sure I follow why it's different before and after.

 

You have 1 x public IP from the ISP

They hand off a link to you from their manage firewall (on private IP's)

They are doing a 1:1 NAT from the public IP to the private IP of your ASA external interface

You are doing a 1:1 NAT on the ASA from external to internal

 

You seem to have a second IP in the mix on the proposed MX - like the ISP may be natting multiple public IP's to you perhaps?

Is something changing on that front, or you want to just do like for like?

 

 

Cheers,

 

Tim

Kind of a big deal

Re: MX NAT with 2 Firewalls

I don't know if you can 1:1 NAT the IP address on the actual MX WAN interface, but you can 1:1 NAT any other IP address in that subnet that the WAN interface is in (except for the ISP address, of course).

Highlighted
Here to help

Re: MX NAT with 2 Firewalls

Ah yes, just tried - it won't let you forward that as 1:1.

 

Cheers,

 

Tim.

Kind of a big deal

Re: MX NAT with 2 Firewalls

but No-NAT?

 

I considered using No-NAT but ended up configuring the next device up the line to just pass everything through without NATting.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Comes here often

Re: MX NAT with 2 Firewalls

Thanks for responding.

 

What you have summarised there is correct.

 

The ISP firewall has the Public IP, from their FW appliance to ours hand-off to a static private IP(outside interface).  They are then natting multiple public IPs from their firewall to ours.

 

I guess my question is should I just do the same on the MX:

 

WAN-IP    will become the old ASA Static private IP (connected to the ISP interface)

 

Now when it comes to natting public IP addresses do I just use 1:1 NAT. 

 

For instance this is our the Cisco ASA

 

Public Service1.1.1.1  (via the ISP Firewall)

 

Private IP     2.2.2.2 (natted to a host on our outside interface)

Private IP     3.3.3.3 (natted to a host on the inside network)

 

Public IP      1.1.1.2  (via the ISP Firewall)

 

Private IP     2.2.2.3 (natted to a host on our outside interface)

Private IP     3.3.3.4 (natted to a host on the inside network)

 

Comes here often

Re: MX NAT with 2 Firewalls

Apologies sent this too quick.

 

We wont be natting the MX IP, only the range of IPs within a subnet which is to be used for those outside services.  using this as an example

 

ISP IP       1.1.1.254

WAN-IP    1.1.1.1

 

  • From ISP will nat Public IP (x.x.x.x) to 1.1.1.100
  • Customer will then nat 1.1.1.100 to internal host

So this is what we want to achieve with the above on the MX.

 

Thanks

 

 

 

Getting noticed

Re: MX NAT with 2 Firewalls

I know that is of no help to you now, but IPV6 would fix all this craziness.

 

Meraki!  Are you listening?  This is a use case for IPV6!  No Natting!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.