Meraki

B_Tyler · ‎Dec 9 2017

Is there a way to NAT outbound traffic on an MX to one of my public addresses and not the IP address of the MX itself? I just replaced a SonicWall firewall where this was configured. Using the MX interface address has broken some of the applications that were previously using the public address. For some reason the MX interface address is being recognized as out of the country.

PhilipDAth · ‎Dec 9 2017

Can you just change the MX address to be what you want?

B_Tyler · ‎Dec 10 2017

The IP address on the WAN interface of the MX is the /30 assigned by the ISP. I don't think I can't change that.

MRCUR · ‎Dec 10 2017

Do you have a /30 from the ISP AND another block of IP's that the ISP is routing to the /30 (Comcast does this for example)?

In that case, what I've done in the past is terminate the /30 on a L3 switch that sits in front of the MX. Then on the switch, create a VLAN with the public IP block and connect the MX WAN port to this VLAN.

MRCUR | CMNO #12

B_Tyler · ‎Dec 10 2017

Yes, I have a WAN IP and a public routed network. Thanks, this is one option. I was hoping to do it through software and not buy more hardware though.

Paulofg · ‎Dec 10 2017

The only way to achieve that would be to configure a 1:1 NAT under Security Appliance>Firewall.

All inbound and outbound traffic would then be NAT'd to the new IP instead of the MX's.

Have a look here for more info on how to do it:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

B_Tyler · ‎Dec 10 2017

Doing a 1:1 NAT isn't going to scale for an enterprise network. I need to be able to do something like this, LAN IP= 10.33.0.0/16 PUBLIC IP = X.48.243.195. I have approximately 10 internal networks of various sizes.

Paulofg · ‎Dec 10 2017

I hear you.

Unfortunately there will not be an easy way to that, currently.

To get a whole subnet to use a different outbound IP you will only be able to do that if the IP belongs to the WAN interface and as someone mentioned above you could achieve that with another L3 device connected to WAN2.

MRCUR · ‎Dec 11 2017

@Paulofg wrote:
To get a whole subnet to use a different outbound IP you will only be able to do that if the IP belongs to the WAN interface and as someone mentioned above you could achieve that with another L3 device connected to WAN2.

You don't have to connect it to WAN2 in the setup I suggested to be clear.

MRCUR | CMNO #12

Adam · ‎Dec 11 2017

I ran into this same issue at one of our buildings. I was trying to assign each one of our tenants a public IP. So basically mapping their LAN /24 to a single public IP. Never found a great way to accomplish it without more hardware.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

jaymon123 · ‎Feb 23 2024

Is there a way to do this now? We are doing research on the MX line to potentially replace our Palo Alto, but I came across this thread and wanted to make sure this wasn't still a limitation of the MX line.

jimmyt234 · ‎Feb 23 2024

There is still no way to do this other than the workarounds already discussed.

MRCUR · ‎Feb 23 2024

Palo Alto to Meraki MX? That's quite the downgrade in feature set.

MRCUR | CMNO #12

jaymon123 · ‎Feb 23 2024

The Palo is too complex for us. But yeah, I do need basic features and I'm finding out the MX is missing them.

Meraki

Community

Outbound NAT

Outbound NAT