Meraki

RJordan-CCS · ‎Apr 23 2018

We are looking at an MX84 to replace a Sonicwall in use at our core site. We have a public range with 5 available public IP addresses from the ISP, and currently have two of those assigned to devices on a transparent DMZ; that means the actual devices hold those public addresses, there is no NAT'ting involved. The DMZ devices come off a separate port on the firewall, and their traffic is analyzed and protected by the firewall and passed to the primary default gateway.

The primary LAN and other ranges ARE NAT'ted by the Sonicwall.

So far I don't see a way to do this on the MX; the only way to use the other public addresses that I've found is using 1:1 NAT, with the potentially critical servers being placed in a different VLAN on the NAT'ed (LAN) side. I'm surprised if that is actually the case; is it?

Another question: is there any equivalent to the security 'Zone's on the Sonicwall? Essentially they are group objects that you can collect multiple subnets or interfaces under, and apply common firewall rules to.

Thanks

Rich

ScottWinCO · ‎Apr 23 2018

It's not documented by Meraki, but there is a way and it does occupy one of the addresses in your /29. You'd create a VLAN (say VLAN 2) and assign one of your public addresses to that internal VLAN. The hosts on the inside can then use the public addresses directly and they'd use the address assigned to the LAN side of the MX as a GW instead of the ISP provided GW. You'd also have to create a 1:1 NAT mapping and allow specific (or ANY) ports through. It's not exactly the same way you'd do it on a Sonicwall, but it does allow you to use the publicly routable addresses on your hosts without having to physically put them on the WAN.

As far as I know there is not a "zone" equivalent in the MX config.

View solution in original post

ScottWinCO · ‎Apr 23 2018

It's not documented by Meraki, but there is a way and it does occupy one of the addresses in your /29. You'd create a VLAN (say VLAN 2) and assign one of your public addresses to that internal VLAN. The hosts on the inside can then use the public addresses directly and they'd use the address assigned to the LAN side of the MX as a GW instead of the ISP provided GW. You'd also have to create a 1:1 NAT mapping and allow specific (or ANY) ports through. It's not exactly the same way you'd do it on a Sonicwall, but it does allow you to use the publicly routable addresses on your hosts without having to physically put them on the WAN.

As far as I know there is not a "zone" equivalent in the MX config.

db-2018 · ‎Jun 28 2018

I am trying to setup almost the exact same thing.

My new ISP has given me a static block that is on a different subnet/range than the wan IP they have given me.

For example (these are not the actual IP's)

WAN IP - 66.146.110.242

WAN Subnet - 255.255.255.252

WAN Gateway - 66.146.110.241

The static block is 66.146.105.96/27

I have added the Local VLan (named DMZ) on my mx400 with the interface IP of 66.146.105.97 with vlan ID 500

I have a laptop plugged into a switch on port 23 which is an access port on vlan 500. I set the static IP of the laptop to 66.146.105.110 with a gateway of 66.146.105.97 (the interface IP on the mx 400). the laptop can reach the outside world perfectly but nothing can come into it.

my question on the 1:1 NAT is: should the WAN IP and the LAN IP of the NAT rule be the same (66.146.105.110)?

also, any 1:1 NAT rules work fine for the devices that are on my internal 10.1.0.0/16 network (even without the DMZ vlan on the mx400)

Thanks!

Sprocket · ‎Mar 11 2020

Hey, db-18, I'm currently struggling with the exact same situation and was wondering if you had success with this setup?

Meraki

Community

Transparent DMZ option on a NAT mode MX appliance; is there a way?

Transparent DMZ option on a NAT mode MX appliance; is there a way?