Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Newbie here] Can MX64 work simultaneously as a VPN concentrator and NATranslator ?

Solved
mpat
Here to help
‎Aug 31 2022 4:41 AM
‎Aug 31 2022 4:41 AM

[Newbie here] Can MX64 work simultaneously as a VPN concentrator and NATranslator ?

I am thinking of buying (and installing) a MX64 at a simple and small customer location, that I am expected to support remotely.  But I need to understand if it can fulfill my two requirements below >>>

1 - I need to securely access two local vlans at  remote customer's site i.e. Outside-in mgmt access. If it helps, I do have an existing Anyconnect client on my Macbook. 

2- At the same time, both those internal customer VLANs need to 'see' the internet and hence NATing required.i.e. inside out NAT'ing

 

Can MX64 do both things simultaneously ? I am confused between the passthrough/Concentrator mode v/s Routed mode and how they fit into my fulfilling my requirements.

0 Kudos
Subscribe
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 31 2022 4:50 AM
‎Aug 31 2022 4:50 AM

In this scenario you would use the routed mode which gives you both NAT and also AnyConnect access on the public interface. Be aware that AnyConnect needs a separate license-subscription.

But I would go for the MX67, This device is only slightly more expensive and will have longer support than the MX64 which is already End-of-Sale.

View solution in original post

Subscribe
4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 31 2022 4:50 AM
‎Aug 31 2022 4:50 AM

In this scenario you would use the routed mode which gives you both NAT and also AnyConnect access on the public interface. Be aware that AnyConnect needs a separate license-subscription.

But I would go for the MX67, This device is only slightly more expensive and will have longer support than the MX64 which is already End-of-Sale.

Subscribe
mpat
Here to help
‎Aug 31 2022 5:02 AM
‎Aug 31 2022 5:02 AM

Great. Thanks for a quick response.

One more clarification : both traffics mentioned in my original post, are going to be isolated, right ? i.e. I don't want the traffic originating from the local LANs, and destined for The Internet (e.g. AWS), to enter my Anyconnect tunnel. 


Regarding Anyconnect license : If I have read it well, my macbook Anyconnect's existing license should allow me to initiate a connection to remote MX64. and the remote MX64 doesn't really ask (or enforce) Anyconnect license - just an 'accept the T&Cs warning' right ?

 

Thanks for the end-of-sale warning. good point. I will look into the End-of-support dates of MX64 and also MX67.

0 Kudos
Subscribe
In response to mpat
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 31 2022 5:31 AM
‎Aug 31 2022 5:31 AM

By default there is no isolation. But you can control the traffic with the Firewall-Rules on the MX. And your Windows firewall would be the second line of defence.

 

For AnyConnect the licensing is not 100% clear for external users. But the general rule is that the company owning the VPN-gateway needs to make sure these licenses are valid. And this is regardless if they are enforced or not.

Subscribe
smohsin
Conversationalist
‎Aug 31 2022 10:00 AM
‎Aug 31 2022 10:00 AM

Yes, MX64 can work simultaneously as a VPN concentrator and NATranslator.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.