Re: Default Route to Internet via Directly Connected ANOTHER firewall

PeterDonnelly · ‎06-21-2022

Scenario: MX250 as a hub for all site to Site VPN. All spoke sites use this MX as their Default Gateway. I would like to introduce a default route to internet for the hub MX250 to be a directly connected A.N.Other Firewall as opposed to the WAN1 or WAN2 of the MX. Why? To have another firewall do what it does in-line with the MX. Any ideas if this is possible?

Thanks

Peter

Russ_B · ‎06-21-2022

If I'm understanding your question correctly, you can configure the MX as a one armed concentrator that would be on the inside network behind the other firewall:

VPN Concentrator Deployment Guide - Cisco Meraki

PeterDonnelly · ‎06-21-2022

Thanks for replying, Russ. Honestly, I do not know if this will give me the level of VPN availability I currently enjoy when using both MX WAN interfaces connected to separate ISPs. Unless I could perhaps try to do some Policy Based Routing on the "other" firewall" to allow each WAN interface of the MX to route out through a different ISP interface of the other firewall thus maintaining multiple VPN connections between the MX and the remote sites. Possible you think?

ww · ‎06-21-2022

If you want to keep using routed mode. You can set a static 0.0.0.0 route on the lan side of the mx hub . And advertise that 0 route into vpn

PeterDonnelly · ‎06-21-2022

Like this?

ww · ‎06-23-2022

Yes.

I think it has to be 0.0.0.0/0.

And dont forget That next hop need to route back aĺl vpn and local vlan subnets back to your mx