Vmx deployment in nat mode

Jay7
Comes here often

Vmx deployment in nat mode

I am working with customer to setup vmx in azure cloud. As per meraki documentation from OCT 31 2022, meraki supports routed mode in vmx. However there is no documentation or deployment model from meraki to follow. Also does vmx supports multiple interfaces such as wan and lan. Is there anyone who deployed vmx nat mode, if so please share then info. 

6 Replies 6
Ryan_Miles
Meraki Employee
Meraki Employee

https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
MyHomeNWLab
A model citizen

Meraki vMX's Limited NAT mode has only one Uplink.

 

Communication from the branch MX to the vMX "LAN Config > subnet" is absorbed by the vMX.
Therefore, in Limited NAT mode, Full Tunnel must be configured from the branch MX to the vMX.
Also, vMX must be deployed in a separate segment.
My assumption is that the "LAN Config > subnet" setting may have been installed as Connected in the Routing table. (Blackhole)

 

A reboot is required after changing the settings.
If not rebooted, the system may operate halfway.

 

Equivalent to Routed Mode of MX, DC-DC Failover topology is not possible in Limited NAT mode.

Jay7
Comes here often

basically we are building autovpn to vmx and to access services in azure. For internet connection traffic will drop locally at the branch site. 

MyHomeNWLab
A model citizen

basically we are building autovpn to vmx and to access services in azure. 

 

The vMX in Limited NAT mode performs Source NAT and hides the Branch's address.
This may be a problem if you want to identify the user (Real IP address) on the Azure side.

 

In Limited NAT mode, communication from Azure to Branch is not possible because the branch's address is hidden by NAT.

If it is a one-way communication (Branch -> Azure) like Shared Service, that restriction would not be a problem.

Jay7
Comes here often

As of now we are only targeting to one way communication from branch to azure. If we enable azure default route option, all branch advertised vpn routes will routed through full tunnel to azure vmx, which I don’t want. I would like to know how vmx can advertise the azure subnets to branch mx thats what’s i am trying to figure out?

MyHomeNWLab
A model citizen

From what you say, it seems to me that there is no need to stick to Limited NAT mode.

 

It would be simple to configure vMX as One-Armed Concentrator [Passthrough or VPN Concentrator Mode] and advertise the subnet in Azure's vMX.

The Local Networks setting can advertise specified subnets.

 

Overlay (on the Auto VPN tunnel) access control can be configured with the "site-to-site outbound firewall", which also allows One-Way communication (Branch -> Azure) can be allowed.

Get notified when there are additional replies to this discussion.