Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

how to do Nating on MX, for DMZ configuration

BhushanKhachane
Conversationalist
‎Dec 18 2019 4:14 AM
‎Dec 18 2019 4:14 AM

how to do Nating on MX, for DMZ configuration

1. configured DMZ ip(public ip) on MX firewall

2. configured other DMZ ip(public ip) of same subnet on ASA firewall which is connected to MX.

 

now im not able to ping DMZ ip which is configured on MX as well as ip on ASA from outside network, (from outside, trace reachable till MX wan ip)

 

please suggest, how can i do Nating on MX device, or is there any port forwarding needed. to make these ip reachable from outside network.

 

note: both DMZ ip configured on meraki and ASA are public ip.

 

 

0 Kudos
Subscribe
2 Replies 2
AjitKumar
Head in the Cloud
‎Dec 18 2019 4:51 AM
‎Dec 18 2019 4:51 AM

Hi @BhushanKhachane 

This is my understanding.

 

First

If your public ip of MX interface is not pingable. Please check

Security & SD-WAN > Firewall > Security appliance services [ICMP Ping is allowed = Any]

 

Second

Now as you MX is connected on LAN Port of MX and public ip of ASA is of the same subnet. You may try to configure 1:1NAT.

Security & SD-WAN > Firewall >1:1 NAT

[Type in your ASA Interface IP in "Public IP" and "LAN IP" fields]

 

Hopefully this shall solve your issues.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
Subscribe
BrechtSchamp
Kind of a big deal
‎Dec 18 2019 5:32 AM
‎Dec 18 2019 5:32 AM

If your MX is in NAT mode, then you shouldn't have the public IP subnet on both the WAN-side and the LAN-side of the MX which I think you do have right now (if I understood correctly).

 

Either you need to change your setup and have the ASA and the MX connect (in parallel) to the same device (router most likely).

 

Or you need to give the ASA's WAN a private IP address from an existing or a new range, and use 1:1 NAT. You would have it configured as follows:

BrechtSchamp_0-1576675767981.png

 

Note that in this case I have opened up the firewall to the ASA completely (Any/Any/Any). You may want to limit what access to the ASA is possible.

 

More info here:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT

 

Edit: Also, if you're using ping to test, as @AjitKumar mentioned, by default the MX doesn't allow pinging its WAN side. But the same goes for the ASA, make sure, it is configured to respond to pings on its WAN side.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.