AWS vMX Auto VPN up but no internet for Branch

Sid3
Comes here often

AWS vMX Auto VPN up but no internet for Branch

Testing Meraki services and have a AWS vMX and a physical MX (no devices in between). vMX is the Hub and the physical MX is the branch. Utilizing full tunneling (default route to the Hub checked) but the branch MX does not get internet access. I believe it's an AWS issue because I can ping the private IP space in AWS from the branch MX but can't ping anything on the internet. I can ping the internet from the vMX though.  

 

vMX:

VPN Status up (green)

Exported Subnet is the VPC subnet from AWS 172.21.0.0/16

Can ping 8.8.8.8 

Can ping branch subnet gateway 192.168.120.1

Route table shows remote subnet up (Green) 192.168.120.0/24 of Branch MX

NAT traversal Auto

Local Networks VPN Mode Enabled

 

Branch MX:

VPN Status up (green)

Exported Subnet is the local VLAN 192.168.120.0/24

Can't ping 8.8.8.8

Can ping VPC subnet 172.21.x.x

Route table shows vMX subnet 172.21.0.0/16

NAT traversal Auto

Local Networks VPN Mode Enabled

 

AWS configuration - followed the AWS guide:

Disabled source destination check on the interface

Created subnet 172.21.4.0/24 and attached to routing table

Added private subnet from branch 192.168.120.0/24 to route table attached to instance and tried interface

Added internet gateway of 0.0.0.0/0 to route table 

Route table contains local route of 172.21.0.0/16

 

I'm lost and not sure what else to try. I tore down the vMX and VPC and built it from scratch following the same steps and still the same result. The Meraki rep doesn't really work with AWS. Any help would be appreciated. 

4 REPLIES 4
PhilipDAth
Kind of a big deal

AWS only allows its local VPC subnets to access the Internet.  It will now allow remote subnets to use it for Internet access.

 

You can work around this, but it is painful.  You have to put a NAT gateway in front of the vMX to hide the remote subnets from AWS.

 

Azure has the same restriction.

 

Fady demonstrates doing this in Azure.  Same concept for AWS.

https://www.youtube.com/watch?v=MljINqgmDkM 

Sid3
Comes here often

Thank you for your response PhilipDAth,

 

That's interesting, so is the only reason someone would utilize a vMX is to access resources in AWS? Just seems odd to have the "Hub" option but it wont route your "Branch" traffic out. 

 

We were wanting to route all branch traffic via VPN out to a hub within US IP Space, but do not have branches in the US to to place a physical device to accomplish this, so we wanted to leverage AWS. Is there anyway to have all branches egress via a "Hub" in the US that you are aware of without a physical device in the US?

 

PhilipDAth
Kind of a big deal

You have to put a NAT gateway in front of the vMX to hide the remote subnets from AWS.

Bruce
Kind of a big deal

I don’t know if this will help, but the vMX now has a limited NAT mode which essentially NATs all the IP addresses from the branch sites to the vMX IP address. I haven’t used it, and don’t know if this will provide you with the NAT you need, or if it will work for your design (it all depends what else you are doing in AWS). The detail about it is here, https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Amazon_Web_Services_(...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels