Apologies if this has been asked before (sure it has been) - Looking at configuring an MX84 at a branch site which will then VPN back to a central location that has Cisco FTD NG firewalls (lets just say they are ASA's for simplicity just now).
I need to check about what options I have for configuring Internet Access breakout for users behind the Meraki.
Can I back-haul all internet access over the tunnel to the head office Cisco FTD's (I know about the "exit hub" setting in the dashboard - but its not a Meraki at the head office - so I just wanted to be sure this is possible).
Thanks in advance....
I understand this shall not be a challenge.
Kindly check the following Url.
Following section is an excerpt from the above Url
You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:
Note that if an MX is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.
Thanks for the speedy response - kind of exactly what I thought, so thats good.
Next quick question to throw in a little complication....
The branch site we are looking at putting in the Meraki to...they just have a single static public IP address.
Their current setup uses a Zyxel USG310 box which we are looking to replace with the Meraki, on this Zyxel they have configured several NAT (well...PAT) rules to various internal servers on the LAN.
If we replace this Zyxel with the Meraki and stand up the VPN as previously mentioned (backhauling all internet access), would we still be able to apply the PAT rules or would they be over-ridden by the 0.0.0.0/0 route?
I am not sure as have not tested but considering the MX routing behaviour I believe NAT/PAT shall be over-ridden by the VPN Default route.
Each type of route configured on the MX has a specific priority in comparison with other types of routes. The priority is as follows:
However may be we shall wait for inputs from other community members.
I think this will make the configuration considerably complex.
I would install a second MX next to your FTD box, and use Meraki's AutoVPN to build a full tunnel VPN between them. The MX next to your FTD could then run all its traffic through the FTD.
In fact, you could run that MX in VPN concentrator mode to make your life simpler.