Default Route to Internet via Directly Connected ANOTHER firewall

PeterDonnelly
New here

Default Route to Internet via Directly Connected ANOTHER firewall

Scenario:   MX250 as a hub for all site to Site VPN.  All spoke sites use this MX as their Default Gateway.  I would like to introduce a default route to internet for the hub MX250 to be a directly connected A.N.Other Firewall as opposed to the WAN1 or WAN2 of the MX.  Why?  To have another firewall do what it does in-line with the MX.   Any ideas if this is possible?

 

Thanks 

 

Peter

5 Replies 5
Russ_B
Getting noticed

If I'm understanding your question correctly, you can configure the MX as a one armed concentrator that would be on the inside network behind the other firewall:

 

VPN Concentrator Deployment Guide - Cisco Meraki

Thanks for replying, Russ.  Honestly, I do not know if this will give me the level of VPN availability I currently enjoy when using both MX WAN interfaces connected to separate ISPs. Unless I could perhaps try to do some Policy Based Routing on the "other" firewall" to allow each WAN interface of the MX to route out through a different ISP interface of the other firewall thus maintaining multiple VPN connections between the MX and the remote sites.  Possible you think?

 

ww
Kind of a big deal
Kind of a big deal

If you want to keep using routed mode. You can set a static  0.0.0.0 route on the lan side of the mx hub . And advertise that 0 route into vpn 

Like this?

 

image.png

ww
Kind of a big deal
Kind of a big deal

Yes.

I think it has to be 0.0.0.0/0.

And dont forget That next hop need to route back aĺl vpn and local vlan subnets back to your mx

Get notified when there are additional replies to this discussion.