vMX in Azure - Change from Passthrough to Routed/NAT Mode

stgonzo
Getting noticed

vMX in Azure - Change from Passthrough to Routed/NAT Mode

Hi everyone,

 

Just wondering if anyone has done this before, and how much reconfiguring may have to be done in Meraki and Azure if any?

 

I have a customer that wants to access ACL restricted resources on public clouds, so they need to use full-tunnel on the Client VPN now instead of split-tunnel and set the vMX public IP as trusted.  There doesn't seem to be much information on this as it's only recently this could be done without Meraki support.

 

Thanks

3 Replies 3
GIdenJoe
Kind of a big deal
Kind of a big deal

The vMX is Azure does not support NAT mode yet.

Also the vMX is only intended to be used as a AutoVPN/SD-WAN hub.

 

To secure the traffic from your servers going to the internet you need to use the native Azure policy or use a full firewall solution like Cisco FTD or a 3rd party vendor.

GreenMan
Meraki Employee
Meraki Employee

NAT mode in VMX is supported but not so the VMX can act as a firewall.  Check this out:   https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ

stgonzo
Getting noticed

I switched the vMX to Routed Mode, this got the Client VPN on the vMX working as desired but, caused an issue with the onsite MX where it lost connectivity to Azure subnets through the Auto-VPN, this is because the routed MX can only be configured with a single LAN, so it was only allowing the default LAN and Client VPN pool to be shared over the VPN.  I could partially fix this by setting the vMX as the IPv4 default route, but then this caused issues with non-Meraki VPNs, it would also cause excessive Azure egress traffic which would have associated costs.

 

After a long call to support going through various things, I have set the device back to Passthrough mode now.  Apart from not being able to use full-tunnel for VPN clients, everything else seems to work on the MX and vMX.  Looking through posts in various forums it sounds like another device would be needed to do the NAT for internet access.

 

 

Get notified when there are additional replies to this discussion.