Skip to main content
Cisco Meraki Documentation

Utilizing 1:1 NAT with Link Aggregation and Multiple Public IPs

  1. Last updated
  2. Save as PDF

Many networks require multiple public IP addresses for public facing resources.  This article will outline configuring 1:1 NAT rules on the MX security appliance with Link aggregation and multiple public IP addresses.

Configuration

You may have public facing resources that users and customers need to access from the Internet.  Port forwarding rules are used when the destination IP is the MX's Internet port IP address (either Internet port 1 or 2).  If the ISP is providing a block of public IP addresses, a 1:1 NAT rule is configured to map the public IP address to the internal LAN IP address of the resource.  These rules can be configured from Configure > Firewall > Forwarding rules.  

In the following example a 1:1 NAT rule will be configured for two web servers.  Each webserver will be using a different ISP (ie. a different Internet port on the MX):

 

Hostname:WebServer01

Service: web server  (TCP port 80)

Public IP: 3.3.3.3

 

Hostname:WebServer02

 

Service: E-mail server and web mail (TCP ports 25, 80, and 443)

 

Public IP: 5.5.5.5

86aab028-2aa9-4e0f-aab5-24680d71d77f

 

In the dashboard we would select Add a 1:1 NAT mapping and enter the following information:

 

 

Name: name for the mapping

 

Public IP: the IP address from the ISP that devices on the Internet will connect

 

LAN IP: local IP address of the device

 

Uplink: interface the MX should receive the inbound traffic from

 

Allowed inbound connections: firewall rules allowing inbound connections to the LAN device on the specified ports

 

The next figure shows the configuration required for our example:

 

6df4e6df-6ea0-4249-9ee1-d1d013c64219

 

 

 

 

 

*Note: The only inbound connections that are allowed are the ports that are defined by Allow inbound connections.

Uplink Preferences

These mappings will allow the appropriate inbound connections to the LAN servers.  Outbound traffic from these devices will follow the configured Primary uplink (Configure > Traffic shaping > Uplink configuration) unless Link aggregation has been enabled (in this case you could not be certain which interface the traffic would egress).  An Uplink preference can be created to send traffic from a specific LAN host out a particular uplink.

f359838c-ecfb-4920-93a1-f834805276c3

In the above image we have created a preference to send all TCP/UDP traffic for WebServer02 out the Internet 2 uplink.  This preference was created to avoid asymmetric routing.  In our example, WebServer02, is also acting as a mail server.  When it communicates with other mail servers they are expecting the IP address of our mail server to be the same as the 1:1 NAT statement we created.  Without having the uplink preference this server would use the Internet port 1 uplink (and hence the Internet port 1 IP address).

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. 1 to 1 NAT
    2. link aggregation