cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Replacing PfSense by MX100 with DMZ configurations

SOLVED
Go to solution
bayet
Getting noticed
‎12-13-2017 03:53 AM
‎12-13-2017 03:53 AM

Replacing PfSense by MX100 with DMZ configurations

Currently we have a DMZ configure on a Pf Sense Firewall and I'm trying to find a way to move the DMZ configurations from the Pf Sense to Meraki MX100.

 

Current configuration:

  •  Up-link to ISP = x.x.236.4/30  ( Public IP address )
  • DMZ subnet = x.x.236.160/28 ( Public IP address )
    • DMZ servers do have public IP addresses assign and using NAT to translate those public server IP to private IP address on the internal servers.

On the MX100 in NAT mode I don't see how to configure and get the same result as on the Pf Sense.

 

The way forward I think is to remove the /30 up-link to ISP subnet and configure the /28 between the ISP and the external MX WAN interface. 1:1 NAT can be use to send traffic from internet to the internal server.

 

Does anyone has another approach how to solve this issue.

 

Thank you.

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
In response to bayet
PhilipDAth
Kind of a big deal
Kind of a big deal
‎12-13-2017 06:35 AM
‎12-13-2017 06:35 AM

That is incorrect.  As long as the /28 is routed via the stub NAT will work.

View solution in original post

Subscribe
4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎12-13-2017 04:04 AM
‎12-13-2017 04:04 AM

The hosts in the DMZ must have private IP addresses.

 

Then you can configure a 1:1 NAT from the DMZ public IP address pool to the private IP address of the host in the DMZ.

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

Can you keep the current /30 stub network.

0 Kudos
Subscribe
In response to PhilipDAth
bayet
Getting noticed
‎12-13-2017 06:26 AM
‎12-13-2017 06:26 AM

Thank you PhilipDAth,

Yes I can keep the /30 stub. Currently the /30 stub is the only connection between the PfSense en the ISP. The point is, if I use the /30 for the connection between the MX100 en the ISP, I won't be able to do NAT on the /28 subnet, because is not configure on the WAN of the MX100.
0 Kudos
Subscribe
In response to bayet
PhilipDAth
Kind of a big deal
Kind of a big deal
‎12-13-2017 06:35 AM
‎12-13-2017 06:35 AM

That is incorrect.  As long as the /28 is routed via the stub NAT will work.

Subscribe
In response to PhilipDAth
Chris_M
Getting noticed
‎12-13-2017 08:41 AM
‎12-13-2017 08:41 AM

@PhilipDAth is correct. If the ISP route the /28 pointing to your MX, even if its a /30 network connection, it will work.

 

If you have one server per public IP, then you can use 1:1 NAT. If you have multiple servers sharing IP address, you can use 1:Many NAT.. This allows you to define ports to internal IP address and the internal ports as well. Just as long as the ISP route the /28 network to your MX, it will work.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki