Meraki

Community

Request for Best Practice – Deploying Second Firewall Between LAN and Server Segment with Meraki

jOMeraki2
Getting noticed
‎Jul 16 2025 5:41 AM
‎Jul 16 2025 5:41 AM

Request for Best Practice – Deploying Second Firewall Between LAN and Server Segment with Meraki

i everyone,

I’m working on a network setup where I have a Meraki MX firewall connected directly to the internet. Due to government security requirements, I need to add a second firewall between the LAN and a dedicated server segment.

In this design:

  • The Meraki MX 67 is the edge firewall connected to the internet. -> average client: 250 user 

  • The second  Mx 85 firewall will sit between the LAN and the internal servers.  Number of server 2 hp del 380 g10 with 2 vm erp system?

  • From the server side, this second firewall will act as the "internet gateway" (via the MX).

I’m concerned about NAT behavior, routing, and potential visibility issues (like client tracking, traffic shaping, etc.) when Meraki is not the final hop to the server.

 

I noticed the “NAT Exceptions” / “Manual NAT” feature on Meraki, and I’m trying to understand if it can help in this case.

 

Question:
What’s the recommended best practice for this kind of deployment using Meraki MX?Any advice or design considerations to avoid double NAT issues, maintain security, and preserve Meraki’s visibility?

Thanks in advance!

Labels:
9 Replies 9
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 16 2025 5:51 AM
‎Jul 16 2025 5:51 AM

I would never install an MX67 if your average client count is 250...
If your second firewall also needs to serve as an internet gateway then your only choice is to have both the MX67 and the MX85 directly connected to the internet and have a separate /30 LAN segment between both firewalls and just route internally between your users and the servers.

Then you still have the NAT for internet bound traffic and you don't have NAT in between them.

In response to GIdenJoe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 16 2025 6:39 AM
‎Jul 16 2025 6:39 AM

Alternatively if you don't want to bother your MX67 with the traffic going to the servers you could have your user VLANs terminate on a L3 switch and have that L3 switch have a /30 uplink to each MX.

This way user traffic to the internet would route via de L3 switch to the MX67 and user traffic to the servers would route from the L3 switch directly to the MX85.

In response to GIdenJoe
jOMeraki2
Getting noticed
‎Jul 16 2025 9:59 AM
‎Jul 16 2025 9:59 AM

Thanks for the explanation, but I’m still having trouble fully understanding the setup — especially the part about the /30 between the firewalls and avoiding NAT internally.

Would it be possible for you to clarify it further with a simple diagram or drawing?

I have an MX67 and an MX85, and I’m trying to understand the best way to separate internal traffic from internet-bound traffic without doing NAT between them.

0 Kudos
In response to jOMeraki2
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 16 2025 11:52 PM
‎Jul 16 2025 11:52 PM

Scenario 1: traffic goes through both MX'es:

GIdenJoe_1-1752734884362.png

 

Scenario 2: routing via L3 switch

GIdenJoe_2-1752735159037.png

 

In response to GIdenJoe
jOMeraki2
Getting noticed
‎Jul 16 2025 10:37 AM
‎Jul 16 2025 10:37 AM

One quick question — do IPS and AMP on the MX67/MX85 only inspect traffic going to/from the internet (WAN), or do they also work on internal routed traffic (LAN-to-LAN), such as traffic between users and servers?

Just trying to understand what kind of protection applies within the LAN when using a Layer 3 switch for internal routing.

0 Kudos
In response to jOMeraki2
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jul 16 2025 11:38 PM
‎Jul 16 2025 11:38 PM

IPS inspection is done on all traffic routed through the firewall.

You can of course set trusted IP ranges or applications to fast path these flows so it bypasses the IPS inspection.  I'm not sure if that then also bypasses the AMP portion.

If you have multiple VLANs behind the L3 switch they will be able to reach each other directly without passing through the firewall.  However the traffic going to the servers is going through either 1 or 2 firewalls depending on the chosen setup.  You can of course use ACL's on the switches (like you also would in a adaptive policy setup) or you could have switches that support VRF's and then you can force some traffic to go through the firewall.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 16 2025 1:19 PM
‎Jul 16 2025 1:19 PM

For this use case, I would consider running the MX85 in "passthough" mode.  In this configuration, it acts like a layer 2 bridge.  It doesn't touch any IP addressing.  It just monitors and does firewalling.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Layer_2_Functionality#Passthrough_Mode

 

0 Kudos
SoCalRacer
Kind of a big deal
‎Jul 16 2025 3:05 PM
‎Jul 16 2025 3:05 PM

Why not use the MX85 as the edge firewall and the MX67 between the MX85 and the server?

0 Kudos
Blue_Bird
Getting noticed
‎Jul 17 2025 12:17 AM
‎Jul 17 2025 12:17 AM

Check this link:

https://documentation.meraki.com/MS/Meraki_Campus_LAN%3B_Planning%2C_Design_Guidelines_and_Best_Prac...

 

Thanks

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.