Meraki vMX Anyconnect Full Tunnel in AWS

SOLVED
propersky
Conversationalist

Meraki vMX Anyconnect Full Tunnel in AWS

Has anyone been able to successfully get an AnyConnect client to route ALL of its traffic through a vMX ec2 instance out to the internet? 

 

We have a vendor that requires us to connect to their site with a static IP address and we're going fully virtual so no more appliances.  Essentially AnyConnect users will route all their traffic through AWS after connecting to AnyConnect.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

Hopefully, your vendor will adopt MFA and a zero trust model; but in the interim you are going to have to do it the tough way.

 

You need to put something in front of the VMX to perform NAT.  I typically use an Ubuntu box.  Behind this, you put the VMX.  All traffic has to go through the Ubuntu box to get to the VMX (so the Ubuntu box will need a port forward to the VMX).  Any traffic leaving the VMX will be NATed to the IP address of the Ubuntu box, so from Amazon AWS perspective, all traffic is coming from the Ubuntu box.

View solution in original post

2 REPLIES 2
PhilipDAth
Kind of a big deal

Hopefully, your vendor will adopt MFA and a zero trust model; but in the interim you are going to have to do it the tough way.

 

You need to put something in front of the VMX to perform NAT.  I typically use an Ubuntu box.  Behind this, you put the VMX.  All traffic has to go through the Ubuntu box to get to the VMX (so the Ubuntu box will need a port forward to the VMX).  Any traffic leaving the VMX will be NATed to the IP address of the Ubuntu box, so from Amazon AWS perspective, all traffic is coming from the Ubuntu box.

Thanks Philip.  We burned a bit of time going down this rabbit hole.  I appreciate the simplicity of your solution but really wish it weren't so.  Thanks so much for the quick response. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels