Apologies if this has been asked before (sure it has been) - Looking at configuring an MX84 at a branch site which will then VPN back to a central location that has Cisco FTD NG firewalls (lets just say they are ASA's for simplicity just now).
I need to check about what options I have for configuring Internet Access breakout for users behind the Meraki.
Can I back-haul all internet access over the tunnel to the head office Cisco FTD's (I know about the "exit hub" setting in the dashboard - but its not a Meraki at the head office - so I just wanted to be sure this is possible).
Following section is an excerpt from the above Url
Non-Meraki VPN peers
You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under theNon-Meraki VPN peerssection on the Security & SD-WAN > Configure > Site-to-site VPNpage. Simply click "Add a peer" and enter the following information:
A name for the remote device or VPN tunnel.
The public IP address of the remote device.
The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.
The IPsec policy to use.
The preshared secret key (PSK).
Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.
Note that if an MX is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.
Thanks for the speedy response - kind of exactly what I thought, so thats good.
Next quick question to throw in a little complication....
The branch site we are looking at putting in the Meraki to...they just have a single static public IP address.
Their current setup uses a Zyxel USG310 box which we are looking to replace with the Meraki, on this Zyxel they have configured several NAT (well...PAT) rules to various internal servers on the LAN.
If we replace this Zyxel with the Meraki and stand up the VPN as previously mentioned (backhauling all internet access), would we still be able to apply the PAT rules or would they be over-ridden by the 0.0.0.0/0 route?