Many:1 NAT / using mutltiple WAN IP's for outbound NAT traffic from different internal subnets

Tom42
Here to help

Many:1 NAT / using mutltiple WAN IP's for outbound NAT traffic from different internal subnets

I have an MX device.

 

I have a block of multiple WAN IP's from my ISP.

 

By default all my traffic is NATted out to the world via the default WAN IP of the MX

 

I would like to be able to get the MX device to send traffic out of one of my additional WAN IP's rather than the default.

 

I do not want to do this just for one internal device (a 1:1 NAT rule) but would instead like to send a whole internal  subnet out via this additional WAN IP (a Many:1 NAT rule?)

 

for example:

I have internal subnets/VLANs 192.168.0.0/24,192.168.1.0/24, 192.168.2.0/24

I have WAN IP range 8.8.8.0/29.

 

I want all traffic from 192.168.0.0/24 to go via 8.8.8.1, 

all traffic from 192.168.1.0/24 to go via 8.8.8.2, 

all traffic from 192.168.2.0/24 to go via 8.8.8.3

 

Is this possible using a single MX device?

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

The MX will only send traffic out from:

  • The IP address configured on its WAN interface
  • If a warm spare and a virtual IP is configured, then using the virtual IP address

There are no other options.

 

You could consider changing thee WAN IP address of your MX, but that will also affect any non-Meraki VPNs and client VPN you might have configured.

This is a shame.

 

The device is in a school. web filtering is provided offsite by the ISP with filtering rules based on the source IP - so If I want to provided both a 'student' level and 'staff' level of filtering I need to push traffic from two different source IP's

 

I guess I have to use two physical MX devices here or commit to an advanced license and bring the filtering in-house.

 

(unfortunately the school is contracted into the ISP provided filtering for another 2 years so the option of paying the additional money for the advanced license is tricky)

hmm. I guess I could just use multiple 1:1 NAT rules to achieve this.

 

Is there a limit to how many I can setup?

 

I could leave my default WAN IP with student level filtering, then manually pull out blocks of IP's to give other filtering levels to.

BrechtSchamp
Kind of a big deal

That won't work, you'll only be able to use each WAN IP once for 1-to-1 NAT.

 

You could use the SD-WAN feature, but you're limited to 2 public IP addresses (your 2 WAN connections).

2019-02-27 14_18_46-Greenshot.png

Did this work for you? Were you able to leverage your block of Public IPs in individual 1:1 NATs?

I ended up buying an advanced license for the MX and doing the filtering on the MX.

Thanks.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels