Replacing PfSense by MX100 with DMZ configurations
Currently we have a DMZ configure on a Pf Sense Firewall and I'm trying to find a way to move the DMZ configurations from the Pf Sense to Meraki MX100.
Up-link to ISP = x.x.236.4/30 ( Public IP address )
DMZ subnet = x.x.236.160/28 ( Public IP address )
DMZ servers do have public IP addresses assign and using NAT to translate those public server IP to private IP address on the internal servers.
On the MX100 in NAT mode I don't see how to configure and get the same result as on the Pf Sense.
The way forward I think is to remove the /30 up-link to ISP subnet and configure the /28 between the ISP and the external MX WAN interface. 1:1 NAT can be use to send traffic from internet to the internal server.
Does anyone has another approach how to solve this issue.
Yes I can keep the /30 stub. Currently the /30 stub is the only connection between the PfSense en the ISP. The point is, if I use the /30 for the connection between the MX100 en the ISP, I won't be able to do NAT on the /28 subnet, because is not configure on the WAN of the MX100.
@PhilipDAth is correct. If the ISP route the /28 pointing to your MX, even if its a /30 network connection, it will work.
If you have one server per public IP, then you can use 1:1 NAT. If you have multiple servers sharing IP address, you can use 1:Many NAT.. This allows you to define ports to internal IP address and the internal ports as well. Just as long as the ISP route the /28 network to your MX, it will work.
Find my post helpful? Please give me a kudo! CCNP Certified and Meraki Operator