Meraki

Community

How does Secure Connect deal with NAT rules?

Solved
Bucket
Getting noticed
‎Dec 9 2024 12:24 PM
‎Dec 9 2024 12:24 PM

How does Secure Connect deal with NAT rules?

If spokes receive a default route from the SC hubs, does that mean NAT (1:1, 1:many, port forwards) on the spoke stops working when SC is enabled?

0 Kudos
1 Accepted Solution
SahandC
Meraki Employee
Meraki Employee
‎Dec 20 2024 10:10 AM
‎Dec 20 2024 10:10 AM

Hi Bucket, it isn't that NAT stops working, it's that the default route installed to the appliance creates an asymmetric route.

 

For sites with resources that need to be accessible from the public internet, you need to either create a VPN exclusion rule to break traffic out of the VPN tunnel, or deploy the appliance as a hub to prevent the default route from being propagated.

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2024 5:34 PM
‎Dec 9 2024 5:34 PM

I haven't tested this - but I would expect this to be the case (nat stops working).

 

You would need to change the device to being in hub mode so its Internet didn't go via SecureConnect.

 

 

BUT - could you configure it as a zero trust application and access it using that method?

0 Kudos
SahandC
Meraki Employee
Meraki Employee
‎Dec 20 2024 10:10 AM
‎Dec 20 2024 10:10 AM

Hi Bucket, it isn't that NAT stops working, it's that the default route installed to the appliance creates an asymmetric route.

 

For sites with resources that need to be accessible from the public internet, you need to either create a VPN exclusion rule to break traffic out of the VPN tunnel, or deploy the appliance as a hub to prevent the default route from being propagated.

In response to SahandC
Kriver
New here
‎Feb 5 2025 4:42 AM
‎Feb 5 2025 4:42 AM

Correct, the issue arises due to asymmetric routing, as return traffic exits at the POP within the Secure Connect data center. Unfortunately, in some cases, it’s not possible to exclude these IPs from the VPN or configure them as a hub. This limitation is a significant blocker for us in adopting Secure Connect, and we hope it will be addressed in a future update.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.