How to configure Cisco Router connected to MX Security Appliance as Default Gateway to Internet

ANarcis
Here to help

How to configure Cisco Router connected to MX Security Appliance as Default Gateway to Internet

Hi Guys,

 

The router utilizes sub-interfaces that connect to down stream switch

Are these configurations correct for router and MX  to provide clients connected to down stream  Switch Internet Service ?

 

Static IP configured on MX WAN Interface (Public IP)

Configure Vlan interface and IP Address on MX .

Assign switchport on MX to created vlan.

Configure router interface to be  in same subnet as vlan on MX

Connect Router interface to Switchport on MX

 

 Default Route on router pointing to ip address of vlan interface on MX.

 

 

10 REPLIES 10
Ben
A model citizen

If i'm reading and interpreting your post correctly than yes that would work. 

Just to be sure your setup is

 

MX  <---->   Cisco router  <----->  switch <----->  clients    

 

 

Rgrds,

Ben

Hi Ben,

 

Do I need to configure static routes on the MX that point back to the Sub-interfaces configured on the router ? 

 

I have always connected a Cisco router on the MX on LAN port (3) and then add the Cisco's router's gateway 10.X.X.X/24 as a VLAN1 on the MX.

Hey Barry,

 

MX ---- > Cisco Router 

So, your saying that default routes on MX that point to vlans downstream aren't necessary.

 

 

You have to add the Cisco routers subnet as a routing VLAN on your MX and then go to the DHCP scope for the newly created VLAN and set it to relay DHCP to another server and then add your DNS below. 

 

 

 

 

 

You have add the Cisco routers subnet as a VLAN on your MX.

@ANarcis You haven't answered @Ben but I'm going to assume that what he said is indeed what you're trying to do. The question whether you need a route on the MX pointing towards VLANs that are present on the Cisco router downstream depends on what you're trying to do and how the router is configured.

 

If addresses of those downstream VLANs need to be reachable from the outside, i.e. connections initiated from the outside (whether that be through port forwarding, 1:1 NAT, AutoVPN, ClientVPN, ...) then yes, you definitely need a route on the MX.

 

If you just need those VLANs to have connectivity to the internet then you could just turn on NAT-masquerading on the router. The disadvantage there is that you no longer have insight into the original source addresses of the packets as those will be overwritten by the router's outer-IP by NAT. I'm going to guess that that is not what you want. So if you want to do filtering on the MX you'll likely want the MX to know about the downstream VLANs. so you would not turn on NAT in the router and you would indeed need route(s) on the MX pointing towards the Cisco router.

 

I hope that clears up things.

Actually, as you mentioned I just need to provide the downstream Vlans internet, the MX WAN interface will be configured with the public ip. So, NAT will be turn on to re-write the source address of packets leaving the internal network.

Then no route is needed. The only IP address the MX will get to see is the Cisco router's outer IP address so the route would not get used. The Cisco router's outer IP is in a subnet on which the MX also has an IP address so it can reach it.

Yes quite true,

 

Guys thank you all for your assistance.

Get notified when there are additional replies to this discussion.