No NAT + Inbound firewall rules?

Adam2104
Building a reputation

No NAT + Inbound firewall rules?

Has anyone played with the no NAT functionality in MX 15? I'm playing with a few different topologies and currently I want to run without the MX doing NAT. The topology is:

 

Internet --- Firepower 1010 --- MX67 --- Clients

 

I want the Firepower 1010 to see the real IP addresses of the clients. The Firepower will also handle all NAT duties to/from the Internet. All my clients and services are behind the MX67, there's only a small /30 between the MX and the Firepower. Thus, I need to poke holes in the firewall of the MX to allow for incoming services to work. Previously, with NAT mode, I'd just configure the port forwarding rule on the Firewall page and everything works. However, once the NAT exceptions are enabled the port forwards don't work (as expected), thus I need to poke a hole in the Inbound firewall to allow the traffic to hit the relevant ports on the relevant IP addresses. However, there is no inbound firewall configuration options available. The only thing I see in the Dashboard are the regular outbound firewall rules. The only way I can get the inbound firewall rules to appear is by using passthrough mode, but that has other limitations I'd prefer to avoid.

 

Am I missing something basic? It seems like no NAT needs to expose inbound firewall rule configurations. Otherwise, it's impossible to host any services behind the MX.

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

I think  support  can enable this

PhilipDAth
Kind of a big deal
Kind of a big deal

@ww is right.  Support can enable this.

Is there a licensing requirement for inbound that support activates? If not then why does it require a support ticket? Just curious!!!

Because it is a beta feature.

Is there a licensing requirement for inbound that support activates? If not then why does it require a support ticket? Just curious!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels