Yes my security appliance is assigning Private IP addresses to my client through DHCP but I have assigned Public IPs to some customers through that internet works fine but they cannot ping Public IP from other ISPs.

Security Appliance > Firewall

 

When you setup the Public IP to LAN IP NAT you have to set the allowed inbound connections rule to:

Protocol: ICMP

Remote IPs: Any or a subnet if you want to be more specific on who can ping. 

Dear I am not assigning Private IPs to my client. I am assigning them public IPs.

Ah so you are having issues pinging out?  Any difference if you ping the IP directly vs name to make sure it isn't a DNS issue?

Internet is working fine customer can ping any website from his system but whenever he tries to access his router can't access or ping from other ISPs.

I have putted my case in cisco meraki but they are not providing me any solution even not bothering to reply on my emails. Kindly suggest the solution as I am losing my clients.

Like @Adam, I can not clearly understand your configuration which is making it very hard to help you.  Lets get specific.

 

Please answer these questions:

 

1. The outside public IP address of the MX is:
2. The internal IP address of a client is:
3. The public IP address you are using for NAT to the above client is:

For the ping that does not work;

1. The ping is being done from a machine with the IP address:
2. The IP address being ping'ed is:

Kindly see the topology diagram below and 5.5.5.0 is Public IP subnet.

Thank you for the diagram.  Now give me an example of which of one of the devices depicted cannot get to what kind of destination?

whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message.

"whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message."

 

So you mean if some external source tries to ping the 5.5.5.3 client they get request timed out or no replies?

 

If you are wanting publicly accessible IPs on your private clients I think you'd want to do either of the following.

1.  Set the MX to passthrough mode

2. Keep the MX set to NAT mode and give your internal client machines some internal DHCP range of static IP's.  For example if PC-PT had an internal static IP of 10.0.0.3.  Then go to Security Appliance>Firewall and setup your 1:1 NATs and with selective "allowed inbound connection" firewall rules.  Here would be a screenshot example.

Agreed with @Adam suggestion. It sounds like the MX is running in NAT mode and doing exactly what it should be doing. 

If I set MX in Pass Through Mode should I still manage to apply layer 7 Policy?

Kindly reply if we set the MX in pass-through-mode do we still apply policies?

---

@khurram wrote:

If I set MX in Pass Through Mode should I still manage to apply layer 7 Policy.

---

 

See the passthrough mode documentation here: https://documentation.meraki.com/MX-Z/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Appli...

It looks like the policies should be applied in passthrough mode. It would be worth a try; however, I would recommend creating DMZs and NATting to private IPs to allow for more firewall rules to be managed more easily.

 

"An MX/Z1 in passthrough mode can be configured to perform a number of functions like when in NAT mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed:"

 

https://documentation.meraki.com/MX-Z/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Appli...

You have some E Plus numbers there?

what is E Plus numbers?

E-Plus used to be a German mobile network operator, they were merged with the Telefonica subsidiary O2 Deutschland. The IP numbers you have indicated are original E-Plus IP addresses
5.1.128.0 - 5.1.255.255 E-Plus Mobilfunk GmbH
5.4.0.0 - 5.7.255.255 E-Plus Mobilfunk GmbH

I mentioned these IP addresses only for illustration.

Probably better to use something like x.x.5.5 to disguise real public IP addresses.

I’m trying to pin down your issue so i can more clearly understand and provide some things to try. So far I’ve understood that the clients on this network are directly being assigned public IPs. They can access everything public just fine but not the internal router?