MX450 - 1:1 NAT; outbound IP?

New here

MX450 - 1:1 NAT; outbound IP?

I'm Migrating from some ISRs to a MX450.
2 WAN Links
an ISP provided /30 is on a Switch - and I have my first IP from my /27 on the MX. (both WAN)

I have configured a few (12?) 1:1NAT - but all but one of them do not route back to it's 1:1 IP address.
they don't even route back to the same interface (WAN1) but outbound on WAN2.

due to proper security SSL settings - this obviously breaks web apps and sites. 

I was wondering if anyone experienced this - and what a possible solution is? (I'd prefer to keep the MX as an edge device) 

4 Replies 4
Getting noticed

If I remember correctly, there is no way to NAT outbound traffic to a specific IP address. You can NAT it out to WAN1 or WAN2, but to NAT out to ip #2 on WAN 1 I don't believe is possible. Maybe there has been a feature released allowing this since the last time I had this problem (about 6 months ago) but not sure.


I would try calling Meraki support and see what they say.



I really don't understand -
this was a touted feature during demonstrations. (bi-directional NAT)

does this technically break web servers that require the return path to match the incoming path? (reverse route)

That is 100% dependent on your setup. I will say though even though Meraki lacks this feature, and some other ones you would think are common, I have never hit a "there is no other way" to obtain the end result.


Contact Meraki support and see if they have a beta firmware or something you can try, otherwise you will have to figure out how to make it work within the limitations of Meraki.

Kind of a big deal
Kind of a big deal

>due to proper security SSL settings - this obviously breaks web apps and sites. 


This wont break SSL or web apps.  If a request is NAT'ed through from the outside world the reply traffic from the web server will return via the same path (using the same 1:1 IP address).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.