Meraki

Community

NAT from the DMZ onto the LAN

Pugmiester
Building a reputation
‎Jul 31 2019 5:16 AM
‎Jul 31 2019 5:16 AM

NAT from the DMZ onto the LAN

Hi all,

 

I'm working through the process of migrating one of our offices from a Checkpoint firewall to an MX but I've run up against an issue and I can't think of a sensible way around it.

The site has a DMZ behind the Checkpoint firewall with a server that makes connections both to the internet (easy to reproduce) but also to a single server in a data centre across our global WAN. That connection has a policy on the Checkpoint that uses NAT so the connection looks to the data centre server as though it's the firewall making the request and as the local office LAN is a subnet the data centre knows about, it just routes the traffic back.

The DMZ server in question is a third party black box so we are hoping to avoid having to connect it directly to the LAN in the office as we cannot be certain how up to date it is.

Is there any way I can reproduce that DMZ <> NAT <> LAN functionality with an MX or do I need to starting thinking about having routes for the DMZ subnet advertised across the WAN?

0 Kudos
3 Replies 3
kYutobi
Kind of a big deal
‎Jul 31 2019 5:25 AM
‎Jul 31 2019 5:25 AM

https://community.meraki.com/t5/Security-SD-WAN/Creating-a-secure-DMZ-on-VLAN/m-p/24712#M5951

 

Hope this helps.

Enthusiast
0 Kudos
jdsilva
Kind of a big deal
‎Jul 31 2019 7:28 AM
‎Jul 31 2019 7:28 AM

@Pugmiester wrote:

That connection has a policy on the Checkpoint that uses NAT so the connection looks to the data centre server as though it's the firewall making the request and as the local office LAN is a subnet the data centre knows about, it just routes the traffic back.

You can't do source NAT on the MX, unless it's from "LAN to WAN" and using the configured WAN interface IP... So I'm not sure this is going to be possible 😞

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
Pugmiester
Building a reputation
‎Aug 1 2019 12:39 AM
‎Aug 1 2019 12:39 AM

That's the conclusion I was getting to as well.

The good news is, we don't have to rip out the Checkpoint to get the MX's live so for a little extra breathing space I can leave the setup as it is initially so we can work out a solution with a little more breathing time.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.