Does anyone else have a need for secondary IP addresses on interfaces on MX devices? I have seen customers that are trying to leverage MX to replace SMB firewall products and they need support for an additional /29 on the WAN interface to allow for additional 1:1 NAT configurations. I feel like this is a shortfall but curious if others see it the same way. Also helps with migrations/re-ip addressing of subnets on internal interfaces at times.
[Mod comment: changing thread title to reflect thread contents!]
Solved! Go to solution.
Agree with other commenters on this. Have a look here: https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX
Hey @NCITPro. I'm a little confused by your statements. In my experience with firewalls 1:1 NAT and secondary IP addresses have no relationship. In every case I've ever worked on, the Meraki MX included, 1:1 NATs are more akin to a VIP as opposed to a secondary address. If you have a /29 for your WAN subnet you can configure 1:1 NAT on an MX for the unused addresses in that subnet. You can also configure 1:1 NAT for addresses in another subnet.
I'd with @jdsilva - these are two seperate things. You just get the extra /29 routed towards the MX and configure 1:1 NAT. I've done it several times before and it works fine.
Thanks. I have not had a chance to try it yet but in looking at how I would do it, I expected to need to be able to configure it on an interface somehow. I even stopped by the Meraki zone at CLUS the other week and asked. I was told to assign it to an interface, even if that interface was not in use but I cannot use those IPs in NAT if I did it on a non-WAN interface. I will certainly give this a shot when the addresses get assigned this week.
Agree with other commenters on this. Have a look here: https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX