Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Transparent DMZ option on a NAT mode MX appliance; is there a way?

Solved
RJordan-CCS
Getting noticed
‎Apr 23 2018 8:49 AM
‎Apr 23 2018 8:49 AM

Transparent DMZ option on a NAT mode MX appliance; is there a way?

We are looking at an MX84 to replace a Sonicwall in use at our core site.  We have a public range with 5 available public IP addresses from the ISP, and currently have two of those assigned to devices on a transparent DMZ; that means the actual devices hold those public addresses, there is no NAT'ting involved.  The DMZ devices come off a separate port on the firewall, and their traffic is analyzed and protected by the firewall and passed to the primary default gateway.

 

The primary LAN and other ranges ARE NAT'ted by the Sonicwall.  

 

So far I don't see a way to do this on the MX; the only way to use the other public addresses that I've found is using 1:1 NAT, with the potentially critical servers being placed in a different VLAN on the NAT'ed (LAN) side.  I'm surprised if that is actually the case; is it?

Another question: is there any equivalent to the security 'Zone's on the Sonicwall?  Essentially they are group objects that you can collect multiple subnets or interfaces under, and apply common firewall rules to.

 

Thanks


Rich

 

0 Kudos
Subscribe
1 Accepted Solution
ScottWinCO
Here to help
‎Apr 23 2018 8:57 AM
‎Apr 23 2018 8:57 AM

It's not documented by Meraki, but there is a way and it does occupy one of the addresses in your /29. You'd create a VLAN (say VLAN 2) and assign one of your public addresses to that internal VLAN. The hosts on the inside can then use the public addresses directly and they'd use the address assigned to the LAN side of the MX as a GW instead of the ISP provided GW. You'd also have to create a 1:1 NAT mapping and allow specific (or ANY) ports through. It's not exactly the same way you'd do it on a Sonicwall, but it does allow you to use the publicly routable addresses on your hosts without having to physically put them on the WAN.

 

As far as I know there is not a "zone" equivalent in the MX config.

View solution in original post

Subscribe
3 Replies 3
ScottWinCO
Here to help
‎Apr 23 2018 8:57 AM
‎Apr 23 2018 8:57 AM

It's not documented by Meraki, but there is a way and it does occupy one of the addresses in your /29. You'd create a VLAN (say VLAN 2) and assign one of your public addresses to that internal VLAN. The hosts on the inside can then use the public addresses directly and they'd use the address assigned to the LAN side of the MX as a GW instead of the ISP provided GW. You'd also have to create a 1:1 NAT mapping and allow specific (or ANY) ports through. It's not exactly the same way you'd do it on a Sonicwall, but it does allow you to use the publicly routable addresses on your hosts without having to physically put them on the WAN.

 

As far as I know there is not a "zone" equivalent in the MX config.

Subscribe
In response to ScottWinCO
db-2018
New here
‎Jun 28 2018 4:37 PM
‎Jun 28 2018 4:37 PM

I am trying to setup almost the exact same thing.

 

My new ISP has given me a static block that is on a different subnet/range than the wan IP they have given me.

 

For example (these are not the actual IP's)

WAN IP - 66.146.110.242

WAN Subnet - 255.255.255.252

WAN Gateway - 66.146.110.241

 

The static block is 66.146.105.96/27

 

I have added the Local VLan (named DMZ) on my mx400 with the interface IP of 66.146.105.97 with vlan ID 500

 

I have a laptop plugged into a switch on port 23 which is an access port on vlan 500. I set the static IP of the laptop to 66.146.105.110 with a gateway of 66.146.105.97 (the interface IP on the mx 400). the laptop can reach the outside world perfectly but nothing can come into it.

my question on the 1:1 NAT is: should the WAN IP and the LAN IP of the NAT rule be the same (66.146.105.110)?

 

also, any 1:1 NAT rules work fine for the devices that are on my internal 10.1.0.0/16 network (even without the DMZ vlan on the mx400)

 

Thanks!

0 Kudos
Subscribe
In response to db-2018
Sprocket
Here to help
‎Mar 11 2020 8:38 AM
‎Mar 11 2020 8:38 AM

Hey, db-18, I'm currently struggling with the exact same situation and was wondering if you had success with this setup?
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.