Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts with replies and give us your feedback.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2701
Views
10
Helpful
9
Replies

Request for Best Practice – Deploying Second Firewall Between LAN and Server Segment with Meraki

md-abuzalath1
Level 2
Level 2

‎07-16-2025 05:41 AM

i everyone,

I’m working on a network setup where I have a Meraki MX firewall connected directly to the internet. Due to government security requirements, I need to add a second firewall between the LAN and a dedicated server segment.

In this design:

  • The Meraki MX 67 is the edge firewall connected to the internet. -> average client: 250 user

  • The second Mx 85 firewall will sit between the LAN and the internal servers. Number of server 2 hp del 380 g10 with 2 vm erp system?

  • From the server side, this second firewall will act as the "internet gateway" (via the MX).

I’m concerned about NAT behavior, routing, and potential visibility issues (like client tracking, traffic shaping, etc.) when Meraki is not the final hop to the server.

I noticed the “NAT Exceptions” / “Manual NAT” feature on Meraki, and I’m trying to understand if it can help in this case.

Question:
What’s the recommended best practice for this kind of deployment using Meraki MX?Any advice or design considerations to avoid double NAT issues, maintain security, and preserve Meraki’s visibility?

Thanks in advance!

Labels:
9 Replies 9

joey.debra
Meraki Community All-Star
Meraki Community All-Star

‎07-16-2025 05:51 AM

I would never install an MX67 if your average client count is 250...
If your second firewall also needs to serve as an internet gateway then your only choice is to have both the MX67 and the MX85 directly connected to the internet and have a separate /30 LAN segment between both firewalls and just route internally between your users and the servers.

Then you still have the NAT for internet bound traffic and you don't have NAT in between them.

joey.debra
Meraki Community All-Star
Meraki Community All-Star
In response to joey.debra

‎07-16-2025 06:39 AM

Alternatively if you don't want to bother your MX67 with the traffic going to the servers you could have your user VLANs terminate on a L3 switch and have that L3 switch have a /30 uplink to each MX.

This way user traffic to the internet would route via de L3 switch to the MX67 and user traffic to the servers would route from the L3 switch directly to the MX85.

md-abuzalath1
Level 2
Level 2
In response to joey.debra

‎07-16-2025 09:59 AM

Thanks for the explanation, but I’m still having trouble fully understanding the setup — especially the part about the /30 between the firewalls and avoiding NAT internally.

Would it be possible for you to clarify it further with a simple diagram or drawing?

I have an MX67 and an MX85, and I’m trying to understand the best way to separate internal traffic from internet-bound traffic without doing NAT between them.

0 Helpful

joey.debra
Meraki Community All-Star
Meraki Community All-Star
In response to md-abuzalath1

‎07-16-2025 11:52 PM

Scenario 1: traffic goes through both MX'es:

image.png

Scenario 2: routing via L3 switch

image.png

md-abuzalath1
Level 2
Level 2
In response to joey.debra

‎07-16-2025 10:37 AM

One quick question — do IPS and AMP on the MX67/MX85 only inspect traffic going to/from the internet (WAN), or do they also work on internal routed traffic (LAN-to-LAN), such as traffic between users and servers?

Just trying to understand what kind of protection applies within the LAN when using a Layer 3 switch for internal routing.

0 Helpful

joey.debra
Meraki Community All-Star
Meraki Community All-Star
In response to md-abuzalath1

‎07-16-2025 11:38 PM

IPS inspection is done on all traffic routed through the firewall.

You can of course set trusted IP ranges or applications to fast path these flows so it bypasses the IPS inspection. I'm not sure if that then also bypasses the AMP portion.

If you have multiple VLANs behind the L3 switch they will be able to reach each other directly without passing through the firewall. However the traffic going to the servers is going through either 1 or 2 firewalls depending on the chosen setup. You can of course use ACL's on the switches (like you also would in a adaptive policy setup) or you could have switches that support VRF's and then you can force some traffic to go through the firewall.

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎07-16-2025 01:19 PM

For this use case, I would consider running the MX85 in "passthough" mode. In this configuration, it acts like a layer 2 bridge. It doesn't touch any IP addressing. It just monitors and does firewalling.

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Layer_2_Functionality#Passthrough_Mode

0 Helpful

SoCalRacer
Level 9
Level 9

‎07-16-2025 03:05 PM

Why not use the MX85 as the edge firewall and the MX67 between the MX85 and the server?

0 Helpful
Customers Also Viewed These Support Documents