Meraki

Community

How does Secure Connect deal with NAT rules?

Solved
Bucket
Getting noticed
‎Dec 9 2024 12:24 PM
‎Dec 9 2024 12:24 PM

How does Secure Connect deal with NAT rules?

If spokes receive a default route from the SC hubs, does that mean NAT (1:1, 1:many, port forwards) on the spoke stops working when SC is enabled?

0 Kudos
1 Accepted Solution
SahandC
Meraki Employee
Meraki Employee
4 weeks ago
4 weeks ago

Hi Bucket, it isn't that NAT stops working, it's that the default route installed to the appliance creates an asymmetric route.

 

For sites with resources that need to be accessible from the public internet, you need to either create a VPN exclusion rule to break traffic out of the VPN tunnel, or deploy the appliance as a hub to prevent the default route from being propagated.

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2024 5:34 PM
‎Dec 9 2024 5:34 PM

I haven't tested this - but I would expect this to be the case (nat stops working).

 

You would need to change the device to being in hub mode so its Internet didn't go via SecureConnect.

 

 

BUT - could you configure it as a zero trust application and access it using that method?

0 Kudos
SahandC
Meraki Employee
Meraki Employee
4 weeks ago
4 weeks ago

Hi Bucket, it isn't that NAT stops working, it's that the default route installed to the appliance creates an asymmetric route.

 

For sites with resources that need to be accessible from the public internet, you need to either create a VPN exclusion rule to break traffic out of the VPN tunnel, or deploy the appliance as a hub to prevent the default route from being propagated.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2025 Cisco Systems, Inc.