Working on planning out the conversion of a long-time Cisco ISR/ASA customer over to MX. The customer is a C-Store chain that has an outside vendor monitor fuel tank guages and today they do it through 1:Many NATs through an ASA. So if the vendor browses to [public IP]:[port # xyz041] the ASA performs the translation and routes the traffic over to the MPLS WAN router and on out to the store over MPLS and they reach store number 41's tank guage web UI.
The question is - moving over to a MX VPN network, can I configure theses 1:Many NATs on a MX VPN hub (NAT mode, not one-armed) and refer to hosts available via AutoVPN? If it's not supported it's not that big of deal as we are still going to use the ASA for a couple things; but if the MX will support it we'd rather do it that way.
I've configured a 1:Many NAT on a VPN hub and referred to a LAN IP that doesn't actually live as a physically connected network on the ASA... and Dashboard didn't object to the config. I called support and I got a weak "this isn't supported" answer - weak in that the support agent didn't sound too terribly confident in that answer. It was more like "if it doesn't work then we can't support it".
Guess it was wishful thinking - hoping the MX would be smart enough to know the destination was in the routing table via AutoVPN. Client VPN definitely is a possibility although I’m not sure our customer/their vendor will go for it. Thanks Philip!
I just had a further play this this. I tried this on 13.28 code (I have not attempted this for quite some time). The GUI now takes the config (of NATing to a remote AutoVPN destination), so that is a step forward.
HOWEVER, there are caveats. When traffic flows in via a NAT the return traffic must flow back out the same place. So if you were using AutoVPN, the remote site must route the return traffic back to the original MX - this would normally imply you would have to use AutoVPN with the default route option. This would mean you can not use local Internet break out.
HOWEVER, if you had local Internet break out then out could always do NAT on each individual MX, saving you fro having to use 1:Many NAT at the head end. Don't forget there is DDNS available to locate these.