cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Outbound NAT

Here to help

Outbound NAT

Is there a way to NAT outbound traffic on an MX to one of my public addresses and not the IP address of the MX itself?  I just replaced a SonicWall firewall where this was configured.  Using the MX interface address has broken some of the applications that were previously using the public address.  For some reason the MX interface address is being recognized as out of the country.

9 REPLIES 9
Kind of a big deal

Re: Outbound NAT

Can you just change the MX address to be what you want?
Here to help

Re: Outbound NAT

The IP address on the WAN interface of the MX is the /30 assigned by the ISP.   I don't think I can't change that.

Kind of a big deal

Re: Outbound NAT

Do you have a /30 from the ISP AND another block of IP's that the ISP is routing to the /30 (Comcast does this for example)? 

 

In that case, what I've done in the past is terminate the /30 on a L3 switch that sits in front of the MX. Then on the switch, create a VLAN with the public IP block and connect the MX WAN port to this VLAN. 

MRCUR | CMNO #12
Highlighted
Here to help

Re: Outbound NAT

Yes, I have a WAN IP and a public routed network.  Thanks, this is one option.  I was hoping to do it through software and not buy more hardware though.

Meraki Employee

Re: Outbound NAT

The only way to achieve that would be to configure a 1:1 NAT under Security Appliance>Firewall.

All inbound and outbound traffic would then be NAT'd to the new IP instead of the MX's. 

 

Have a look here for more info on how to do it:

 

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

Here to help

Re: Outbound NAT

Doing a 1:1 NAT isn't going to scale for an enterprise network.   I need to be able to do something like this, LAN IP= 10.33.0.0/16 PUBLIC IP = X.48.243.195.  I have approximately 10 internal networks of various sizes.

Meraki Employee

Re: Outbound NAT

I hear you.

Unfortunately there will not be an easy way to that, currently.

To get a whole subnet to use a different outbound IP you will only be able to do that if the IP belongs to the WAN interface and as someone mentioned above you could achieve that with another L3 device connected to WAN2.

Kind of a big deal

Re: Outbound NAT


@Paulofg wrote:

To get a whole subnet to use a different outbound IP you will only be able to do that if the IP belongs to the WAN interface and as someone mentioned above you could achieve that with another L3 device connected to WAN2.


You don't have to connect it to WAN2 in the setup I suggested to be clear. 

MRCUR | CMNO #12
Kind of a big deal

Re: Outbound NAT

I ran into this same issue at one of our buildings.  I was trying to assign each one of our tenants a public IP.  So basically mapping their LAN /24 to a single public IP.  Never found a great way to accomplish it without more hardware.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.