Outbound NAT

B_Tyler
Here to help

Outbound NAT

Is there a way to NAT outbound traffic on an MX to one of my public addresses and not the IP address of the MX itself?  I just replaced a SonicWall firewall where this was configured.  Using the MX interface address has broken some of the applications that were previously using the public address.  For some reason the MX interface address is being recognized as out of the country.

13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal

Can you just change the MX address to be what you want?
B_Tyler
Here to help

The IP address on the WAN interface of the MX is the /30 assigned by the ISP.   I don't think I can't change that.

MRCUR
Kind of a big deal

Do you have a /30 from the ISP AND another block of IP's that the ISP is routing to the /30 (Comcast does this for example)? 

 

In that case, what I've done in the past is terminate the /30 on a L3 switch that sits in front of the MX. Then on the switch, create a VLAN with the public IP block and connect the MX WAN port to this VLAN. 

MRCUR | CMNO #12
B_Tyler
Here to help

Yes, I have a WAN IP and a public routed network.  Thanks, this is one option.  I was hoping to do it through software and not buy more hardware though.

Paulofg
Meraki Employee
Meraki Employee

The only way to achieve that would be to configure a 1:1 NAT under Security Appliance>Firewall.

All inbound and outbound traffic would then be NAT'd to the new IP instead of the MX's. 

 

Have a look here for more info on how to do it:

 

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

B_Tyler
Here to help

Doing a 1:1 NAT isn't going to scale for an enterprise network.   I need to be able to do something like this, LAN IP= 10.33.0.0/16 PUBLIC IP = X.48.243.195.  I have approximately 10 internal networks of various sizes.

Paulofg
Meraki Employee
Meraki Employee

I hear you.

Unfortunately there will not be an easy way to that, currently.

To get a whole subnet to use a different outbound IP you will only be able to do that if the IP belongs to the WAN interface and as someone mentioned above you could achieve that with another L3 device connected to WAN2.

MRCUR
Kind of a big deal


@Paulofg wrote:

To get a whole subnet to use a different outbound IP you will only be able to do that if the IP belongs to the WAN interface and as someone mentioned above you could achieve that with another L3 device connected to WAN2.


You don't have to connect it to WAN2 in the setup I suggested to be clear. 

MRCUR | CMNO #12
Adam
Kind of a big deal

I ran into this same issue at one of our buildings.  I was trying to assign each one of our tenants a public IP.  So basically mapping their LAN /24 to a single public IP.  Never found a great way to accomplish it without more hardware.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
jaymon123
Here to help

Is there a way to do this now?  We are doing research on the MX line to potentially replace our Palo Alto, but I came across this thread and wanted to make sure this wasn't still a limitation of the MX line.

jimmyt234
Building a reputation

There is still no way to do this other than the workarounds already discussed.

MRCUR
Kind of a big deal

Palo Alto to Meraki MX? That's quite the downgrade in feature set. 

MRCUR | CMNO #12
jaymon123
Here to help

The Palo is too complex for us.  But yeah, I do need basic features and I'm finding out the MX is missing them.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels