Routing internal SMTP traffic out a specific public IP address on an MX100

Tilbard
New here

Routing internal SMTP traffic out a specific public IP address on an MX100

We have a /28 public IP range, and a backup /32 connection on a separate ISP. The first IP in the /28 range is assigned to our MX100. Is it possible to have SMTP traffic (TCP25) from a handful of internal IP addresses go out via a specific different IP address in the /28 range? I found that you can use a Flow Rule to force port 25 from those IPs to go out via the correct ISP, but it doesn't seem to allow you to force it to a specific IP address on that network.

 

In the SonicWALL world that we're moving from, we just made a LAN to WAN NAT rule that accomplished this for a specific port, or a route for all traffic from a specific IP, but I can't seem to figure out the proper way to do it in the Meraki world.

6 REPLIES 6
MRCUR
Kind of a big deal

You can create a 1:Many NAT rule on the Firewall page (very bottom). This should accomplish what you're looking for. 

MRCUR | CMNO #12

This works for routing outgoing internal traffic? Presumably I just do the exact opposite of a normal External to Internal 1:Many NAT rule?

 

So assuming my internal network is 192.168.0.1/24, and external is 8.8.8.0/24, and I want all SMTP traffic from 192.168.0.100 to go out 8.8.8.4, I'd create a rule as follows:

Public IP: 192.168.0.100

Protocol TCP

Public port: 25

LAN IP: 8.8.8.4

Local Port: 25

Allowed remote IPs: any

 

Is that what you're saying?

MRCUR
Kind of a big deal

No, you need to supply a public IP that the MX has configured on its WAN interface subnet. Then in the LAN IP, you can put your internal network that you want to use the configured public IP for SMTP traffic. 

MRCUR | CMNO #12

Won't that just route INCOMING traffic on that IP address to the NAT'd internal address? I want to make traffic going from the internal address go out a specific Public IP address. For the record, I already have that rule.

 

So in my example above, the MX100's WAN1 port is assigned the IP address 8.8.8.1. Left alone, all SMTP traffic from 192.168.0.100 will go out via that IP address. But I want all outgoing SMTP traffic from 192.168.0.100 to go out via 8.8.8.4 instead of 8.8.8.1

MRCUR
Kind of a big deal

NAT rules are bidirectional - otherwise there wouldn't be a valid return path. I haven't tried this specific setup with 1:Many NAT, but I don't see why it wouldn't work. 

MRCUR | CMNO #12

Doesn't work. Just tested using port 80/443 and did a public IP lookup. Lookup reported the WAN IP address assigned to the WAN1 interface, not the NAT'd IP address unfortunately.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels