Request for Best Practice – Deploying Second Firewall Between LAN and Server Segment with Meraki

jOMeraki2
Getting noticed

Request for Best Practice – Deploying Second Firewall Between LAN and Server Segment with Meraki

i everyone,

I’m working on a network setup where I have a Meraki MX firewall connected directly to the internet. Due to government security requirements, I need to add a second firewall between the LAN and a dedicated server segment.

In this design:

  • The Meraki MX 67 is the edge firewall connected to the internet. -> average client: 250 user 

  • The second  Mx 85 firewall will sit between the LAN and the internal servers.  Number of server 2 hp del 380 g10 with 2 vm erp system?

  • From the server side, this second firewall will act as the "internet gateway" (via the MX).

I’m concerned about NAT behavior, routing, and potential visibility issues (like client tracking, traffic shaping, etc.) when Meraki is not the final hop to the server.

 

I noticed the “NAT Exceptions” / “Manual NAT” feature on Meraki, and I’m trying to understand if it can help in this case.

 

Question:
What’s the recommended best practice for this kind of deployment using Meraki MX?Any advice or design considerations to avoid double NAT issues, maintain security, and preserve Meraki’s visibility?

Thanks in advance!

9 Replies 9
GIdenJoe
Kind of a big deal
Kind of a big deal

I would never install an MX67 if your average client count is 250...
If your second firewall also needs to serve as an internet gateway then your only choice is to have both the MX67 and the MX85 directly connected to the internet and have a separate /30 LAN segment between both firewalls and just route internally between your users and the servers.

Then you still have the NAT for internet bound traffic and you don't have NAT in between them.

GIdenJoe
Kind of a big deal
Kind of a big deal

Alternatively if you don't want to bother your MX67 with the traffic going to the servers you could have your user VLANs terminate on a L3 switch and have that L3 switch have a /30 uplink to each MX.

This way user traffic to the internet would route via de L3 switch to the MX67 and user traffic to the servers would route from the L3 switch directly to the MX85.

jOMeraki2
Getting noticed

Thanks for the explanation, but I’m still having trouble fully understanding the setup — especially the part about the /30 between the firewalls and avoiding NAT internally.

Would it be possible for you to clarify it further with a simple diagram or drawing?

I have an MX67 and an MX85, and I’m trying to understand the best way to separate internal traffic from internet-bound traffic without doing NAT between them.

GIdenJoe
Kind of a big deal
Kind of a big deal

Scenario 1: traffic goes through both MX'es:

GIdenJoe_1-1752734884362.png

 

Scenario 2: routing via L3 switch

GIdenJoe_2-1752735159037.png

 

jOMeraki2
Getting noticed

One quick question — do IPS and AMP on the MX67/MX85 only inspect traffic going to/from the internet (WAN), or do they also work on internal routed traffic (LAN-to-LAN), such as traffic between users and servers?

Just trying to understand what kind of protection applies within the LAN when using a Layer 3 switch for internal routing.

GIdenJoe
Kind of a big deal
Kind of a big deal

IPS inspection is done on all traffic routed through the firewall.

You can of course set trusted IP ranges or applications to fast path these flows so it bypasses the IPS inspection.  I'm not sure if that then also bypasses the AMP portion.

If you have multiple VLANs behind the L3 switch they will be able to reach each other directly without passing through the firewall.  However the traffic going to the servers is going through either 1 or 2 firewalls depending on the chosen setup.  You can of course use ACL's on the switches (like you also would in a adaptive policy setup) or you could have switches that support VRF's and then you can force some traffic to go through the firewall.

PhilipDAth
Kind of a big deal
Kind of a big deal

For this use case, I would consider running the MX85 in "passthough" mode.  In this configuration, it acts like a layer 2 bridge.  It doesn't touch any IP addressing.  It just monitors and does firewalling.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Layer_2_Functionality#Passthrough_Mode

 

SoCalRacer
Kind of a big deal

Why not use the MX85 as the edge firewall and the MX67 between the MX85 and the server?

Blue_Bird
Getting noticed
Get notified when there are additional replies to this discussion.