Default Route to Internet via Directly Connected ANOTHER firewall

PeterDonnelly
New here

Default Route to Internet via Directly Connected ANOTHER firewall

Scenario:   MX250 as a hub for all site to Site VPN.  All spoke sites use this MX as their Default Gateway.  I would like to introduce a default route to internet for the hub MX250 to be a directly connected A.N.Other Firewall as opposed to the WAN1 or WAN2 of the MX.  Why?  To have another firewall do what it does in-line with the MX.   Any ideas if this is possible?

 

Thanks 

 

Peter

5 Replies 5
Russ_B
Getting noticed

If I'm understanding your question correctly, you can configure the MX as a one armed concentrator that would be on the inside network behind the other firewall:

 

VPN Concentrator Deployment Guide - Cisco Meraki

PeterDonnelly
New here

Thanks for replying, Russ.  Honestly, I do not know if this will give me the level of VPN availability I currently enjoy when using both MX WAN interfaces connected to separate ISPs. Unless I could perhaps try to do some Policy Based Routing on the "other" firewall" to allow each WAN interface of the MX to route out through a different ISP interface of the other firewall thus maintaining multiple VPN connections between the MX and the remote sites.  Possible you think?

 

ww
Kind of a big deal
Kind of a big deal

If you want to keep using routed mode. You can set a static  0.0.0.0 route on the lan side of the mx hub . And advertise that 0 route into vpn 

PeterDonnelly
New here

Like this?

 

image.png

ww
Kind of a big deal
Kind of a big deal

Yes.

I think it has to be 0.0.0.0/0.

And dont forget That next hop need to route back aĺl vpn and local vlan subnets back to your mx

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels