Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

vMX NAT Mode, without full-tunnel for spoles sites

SkyWong44
Here to help
‎Jul 11 2023 11:42 PM
‎Jul 11 2023 11:42 PM

vMX NAT Mode, without full-tunnel for spoles sites

Hi All

 

I have read the https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ in the F.A.Q is say 

How to configure spokes for NAT mode vMX?

Enable site-to-site VPN for the spokes and set the NAT mode vMX as the Hub. Next, make sure to select enable full-tunnel to the vMX by selecting IPv4 default route to true under the hub settings. 

 

However if I'm not using the vMX as the default gateway for my remote sites, can I not select IPv4 default route to true under the hub settings?

I understand that in vMX NAT mode, it will only have one LAN subnet. Therefore it would not have any Azure subnet, and I should not change that setting.

For my case, I only want anyconnect client to use vMX as the default gateway to the internet, and for the remote sites just need to access Azure resources. all traffic is from remote sites/VPN clients to Azure.  I have tried to add a static route on vMX for Azure subnets, and it seems able to advertise to remote sites. My question is, what other limitation I may have?

 

Labels:
0 Kudos
Subscribe
1 Reply 1
bryona
Meraki Employee
Meraki Employee
‎Jul 13 2023 1:56 PM
‎Jul 13 2023 1:56 PM

Hi @SkyWong44,

 

Thanks for posting on the Community forum. Reading through to make sure I understand correctly, it sounds like only VPN clients would need to route through the new vMX to reach the Internet but clients at a spoke site should be using their normal Internet breakout. 

The simplest solution to this may be to have client VPN connect to the new vMX rather than a spoke or other hub since client VPN devices should follow any routes the MX they connect to uses. This way you don't need to add a default route with that hub setting on a spoke and traffic would flow the way you want. You'll still need individual routes for whatever resources you want to access in Azure so adding static routes like you did there should be fine.

If there are more specifics I might suggest reaching out to your account team to help them review your specific network configurations with you.

Hope this helps!
Bryon

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.