cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT from the DMZ onto the LAN

Getting noticed

NAT from the DMZ onto the LAN

Hi all,

 

I'm working through the process of migrating one of our offices from a Checkpoint firewall to an MX but I've run up against an issue and I can't think of a sensible way around it.

The site has a DMZ behind the Checkpoint firewall with a server that makes connections both to the internet (easy to reproduce) but also to a single server in a data centre across our global WAN. That connection has a policy on the Checkpoint that uses NAT so the connection looks to the data centre server as though it's the firewall making the request and as the local office LAN is a subnet the data centre knows about, it just routes the traffic back.

The DMZ server in question is a third party black box so we are hoping to avoid having to connect it directly to the LAN in the office as we cannot be certain how up to date it is.

Is there any way I can reproduce that DMZ <> NAT <> LAN functionality with an MX or do I need to starting thinking about having routes for the DMZ subnet advertised across the WAN?

3 REPLIES 3
Kind of a big deal

Re: NAT from the DMZ onto the LAN

Kind of a big deal

Re: NAT from the DMZ onto the LAN


@Pugmiester wrote:

That connection has a policy on the Checkpoint that uses NAT so the connection looks to the data centre server as though it's the firewall making the request and as the local office LAN is a subnet the data centre knows about, it just routes the traffic back.


You can't do source NAT on the MX, unless it's from "LAN to WAN" and using the configured WAN interface IP... So I'm not sure this is going to be possible 😞

Getting noticed

Re: NAT from the DMZ onto the LAN

That's the conclusion I was getting to as well.

The good news is, we don't have to rip out the Checkpoint to get the MX's live so for a little extra breathing space I can leave the setup as it is initially so we can work out a solution with a little more breathing time.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.