cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public IP on MX incoming and outgoing

Highlighted
Just browsing

Public IP on MX incoming and outgoing

Dear Colleagues,

 

I've got a customer operating a watchguard FW, we are going to replace this one with a MX84 soon.

On the current FW config there is 2 set of public IPs configured on the WAN interface : 1 for the interface itself /30 and 4 as alias IPs /29..

 

example:

WAN interface mx ip: 10.1.1.2/30

public alias IP : 11.1.1.1/29

mx lan ip (vlan 10): 192.168.1.1/24

mail server ip: 192.168.1.1/24

 

Each IP is reachable from outside. My customer asks if it's possible  if they want to do NAT

for their email, which is currently running on watchguard outgoing using ip alias 11.1.1.1/29 and in incoming is using 11.1.1.2/29. For incoming/inbound yes we can do NAT 1:1 or 1:many. how about outgoing is there any other way i can configure for outgoing using alias ip 11.1.1.1 instead of outgoing using wan interface ip: 10.1.1.2/30?

 

Many thanks,

4 REPLIES 4
Highlighted
Building a reputation

Re: Public IP on MX incoming and outgoing

The MX has a different concept for the usage of the additional IPs on the external interfaces. You do not configure any aliases, but the moment where a 1:1 NAT exists, this IP is also used for outgoing communication.

 

In the Firewall-section of the MX you need an 1:1 entry:

Public IP: 11.1.1.1

LAN IP: 192.168.1.1

Highlighted
Just browsing

Re: Public IP on MX incoming and outgoing

Hi Karstenl,

 

If i configure both ip 1:Many NAT so inbound port forwoding is using 11.1.1.1 for SMTP and another ip 11.1.1.2 inbound 1:many NAT for pop3 and port forwarding to same server, is it means outgoing packet using ip 11.1.1.2 or 111.1.1.1?

 

thanks

Highlighted
Building a reputation

Re: Public IP on MX incoming and outgoing

Outgoing traffic is not controlled by these 1:Many rules. The outgoing traffic would still use the interface IP of the MX.

Highlighted
Kind of a big deal
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.