Home > Security Appliances > NAT and Port Forwarding > 1:1 NAT Rules not working properly after installing MX

1:1 NAT Rules not working properly after installing MX

Table of contents
No headers

There are circumstances where 1:1 NAT rules won't work after installing an MX. This commonly occurs after replacing a firewall with an MX Security Appliance, because the upstream modem or router has not updated its ARP table and needs to be restarted or cleared. The upstream modem/router handles the packets that are being forwarded to the MX that are not addressed to the public address of the MX.

For more information on the ARP protocol refer to this article.

For more information on 1:1 NAT configuration on the MX security appliance refer to our product documentation.

 

In this example the MX will be replacing a third party firewall with current active 1:1 NAT rules using multiple public IP addresses. The MX is currently configured with the IP addresses of the previous firewall and 1:1 NAT rules as shown in the figure below: 

 

If the upstream router or modem does not have its ARP table cleared, it will attempt to send requests to the previous third party firewall MAC address. However, the MX will ignore this packet if the upstream modem or router is not restarted. This can be illustrated by the capture and diagram below:

 

 

Once the upstream device ARP tables are cleared, or it is restarted, the ARP will resolve correctly and the requests will now be forwarded with the correct MAC address, allowing the 1:1 NAT to function. This is shown in the following diagram and captures of both the Internet and LAN interfaces of the MX:

 

 

 

 

You must to post a comment.
Last modified
15:16, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1485

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case