Meraki

Community

NAT Many to One on non Internet interface

EdHayes
Comes here often
‎May 26 2021 9:04 AM
‎May 26 2021 9:04 AM

NAT Many to One on non Internet interface

I have a requirement for a Vlan (192.16.x.y) on a MX100 to be natted to a private address (10.x.y.z) which exists on an interface on the MX but it's not a Internet interface, it;s an external DMZ interface.  I basically need a many to one NAT function which is not destined for the Internet.  I don't think this is possible with the MX Security Appliance, if it is then I would greatly appreciate some help on this.

 

Would one option be to connect the DMZ to the second WAN Internet Port and configure a private address on it (10.x.y.z) and then would it be possible to do a Many to 1 NAT over this from the internal Vlans ? 

0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 26 2021 1:12 PM
‎May 26 2021 1:12 PM

I think this will work (forget the second WA port).  Try just configuring it.

 

The NAT rules are often processed irrespective of which interface they pass through.

 

For example, you can create a NAT rule for a public IP, but still access the service via that public IP from inside of the network, because the system intercepts the NAT as it flows in through the first interface.

0 Kudos
In response to PhilipDAth
EdHayes
Comes here often
‎May 27 2021 3:13 AM
‎May 27 2021 3:13 AM

HI Philip,

 

Thanks for your reply.

 

I am trying to NAT out on a DMZ interface which has a private address (10.x.y.z) with overload on that address (PAT), which I cant see how to do that.  The DMZ is effectively just a VLAN assigned to a port on the MX. I cant see a configuration option where it's possible to do a private NAT in the MX other than on a WAN Internet Port.

 

 

0 Kudos
In response to EdHayes
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 27 2021 1:49 PM
‎May 27 2021 1:49 PM

PAT won't work.  But you should be able to configure 1:many and 1:1 on any interface and have it work.  1:1 should definitely work.

0 Kudos
In response to PhilipDAth
EdHayes
Comes here often
‎May 28 2021 5:25 AM
‎May 28 2021 5:25 AM

Thanks for the reply. If I try to configure a 1:Many NAT or a 1:1 Nat the uplink option is either Internet 1 or Internet 2, are you saying that this would be not relevant if specified the address of the DMZ ? Also is it possible to use a Pool of IP addresses for the destination NAT ?

 

 

0 Kudos
In response to EdHayes
EdHayes
Comes here often
‎Jun 4 2021 5:38 AM
‎Jun 4 2021 5:38 AM

Any update on this question please as I still don't have an answer to what I'm trying to achieve .... Any more info or guidance would be much appreciated ...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.