Meraki Community

fredle

Hi,

I have a MX75 and VMX in Azure with S2S VPN.

I have a number of VMs in Azure that I need to expose certain ports to the internet.

Can I do this through my VMX whilst in Passthrough/VPN Concentrator Mode?

Thanks,

GIdenJoe

The vMX is not an edge firewall in a cloud environment. You would need to use the Azure firewall or use an appliance like the Cisco FTD.

The vMX only acts as a VPN concentrator so there is no NAT'ing in this case.

View solution in original post

AMP

If your vMX is acting as a vpn concentrator/passthrough it typically wouldn't be at the edge of your network. So opening ports on the vMX wouldn't really do anything since traffic coming in from the internet isn't hitting the vMX and is only forwarding vpn traffic. This is why dashboard removes port forwarding and NAT rules when configured in passthrough.

Knowledge is power

GIdenJoe

The vMX is not an edge firewall in a cloud environment. You would need to use the Azure firewall or use an appliance like the Cisco FTD.

The vMX only acts as a VPN concentrator so there is no NAT'ing in this case.

TyShawn

Well, there are many ways to do this.

1. You can apply an IP to the resource and use the ACLs on the resource in question.

2. You can deploy a Cisco ASA / FTD / or any other firewall supported in Azure and route said traffic through said firewall.

3. You can set up an Azure firewall and route said traffic through the Azure firewall.

fredle

Thanks all. I was hoping the vMX would be an edge device. However given it isn't, i have just deployed a NAT gateway and load balancer in my vnet. The vMX is just dealing with routed traffic.

What is the logic behind the vMX not being able to be an edge firewall and look after all my traffic?

Meraki Community

VMX in Passthrough/VPN Concentrator Mode - Port forwarding

VMX in Passthrough/VPN Concentrator Mode - Port forwarding