Meraki

Community

Replacing PfSense by MX100 with DMZ configurations

Solved
bayet
Getting noticed
‎Dec 13 2017 3:53 AM
‎Dec 13 2017 3:53 AM

Replacing PfSense by MX100 with DMZ configurations

Currently we have a DMZ configure on a Pf Sense Firewall and I'm trying to find a way to move the DMZ configurations from the Pf Sense to Meraki MX100.

 

Current configuration:

  •  Up-link to ISP = x.x.236.4/30  ( Public IP address )
  • DMZ subnet = x.x.236.160/28 ( Public IP address )
    • DMZ servers do have public IP addresses assign and using NAT to translate those public server IP to private IP address on the internal servers.

On the MX100 in NAT mode I don't see how to configure and get the same result as on the Pf Sense.

 

The way forward I think is to remove the /30 up-link to ISP subnet and configure the /28 between the ISP and the external MX WAN interface. 1:1 NAT can be use to send traffic from internet to the internal server.

 

Does anyone has another approach how to solve this issue.

 

Thank you.

0 Kudos
1 Accepted Solution
In response to bayet
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 13 2017 6:35 AM
‎Dec 13 2017 6:35 AM

That is incorrect.  As long as the /28 is routed via the stub NAT will work.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 13 2017 4:04 AM
‎Dec 13 2017 4:04 AM

The hosts in the DMZ must have private IP addresses.

 

Then you can configure a 1:1 NAT from the DMZ public IP address pool to the private IP address of the host in the DMZ.

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

Can you keep the current /30 stub network.

0 Kudos
In response to PhilipDAth
bayet
Getting noticed
‎Dec 13 2017 6:26 AM
‎Dec 13 2017 6:26 AM

Thank you PhilipDAth,

Yes I can keep the /30 stub. Currently the /30 stub is the only connection between the PfSense en the ISP. The point is, if I use the /30 for the connection between the MX100 en the ISP, I won't be able to do NAT on the /28 subnet, because is not configure on the WAN of the MX100.
0 Kudos
In response to bayet
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 13 2017 6:35 AM
‎Dec 13 2017 6:35 AM

That is incorrect.  As long as the /28 is routed via the stub NAT will work.

In response to PhilipDAth
Chris_M
Getting noticed
‎Dec 13 2017 8:41 AM
‎Dec 13 2017 8:41 AM

@PhilipDAth is correct. If the ISP route the /28 pointing to your MX, even if its a /30 network connection, it will work.

 

If you have one server per public IP, then you can use 1:1 NAT. If you have multiple servers sharing IP address, you can use 1:Many NAT.. This allows you to define ports to internal IP address and the internal ports as well. Just as long as the ISP route the /28 network to your MX, it will work.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.