I am thinking of buying (and installing) a MX64 at a simple and small customer location, that I am expected to support remotely. But I need to understand if it can fulfill my two requirements below >>>
1 - I need to securely access two local vlans at remote customer's site i.e. Outside-in mgmt access. If it helps, I do have an existing Anyconnect client on my Macbook.
2- At the same time, both those internal customer VLANs need to 'see' the internet and hence NATing required.i.e. inside out NAT'ing
Can MX64 do both things simultaneously ? I am confused between the passthrough/Concentrator mode v/s Routed mode and how they fit into my fulfilling my requirements.
Solved! Go to solution.
In this scenario you would use the routed mode which gives you both NAT and also AnyConnect access on the public interface. Be aware that AnyConnect needs a separate license-subscription.
But I would go for the MX67, This device is only slightly more expensive and will have longer support than the MX64 which is already End-of-Sale.
In this scenario you would use the routed mode which gives you both NAT and also AnyConnect access on the public interface. Be aware that AnyConnect needs a separate license-subscription.
But I would go for the MX67, This device is only slightly more expensive and will have longer support than the MX64 which is already End-of-Sale.
Great. Thanks for a quick response.
One more clarification : both traffics mentioned in my original post, are going to be isolated, right ? i.e. I don't want the traffic originating from the local LANs, and destined for The Internet (e.g. AWS), to enter my Anyconnect tunnel.
Regarding Anyconnect license : If I have read it well, my macbook Anyconnect's existing license should allow me to initiate a connection to remote MX64. and the remote MX64 doesn't really ask (or enforce) Anyconnect license - just an 'accept the T&Cs warning' right ?
Thanks for the end-of-sale warning. good point. I will look into the End-of-support dates of MX64 and also MX67.
By default there is no isolation. But you can control the traffic with the Firewall-Rules on the MX. And your Windows firewall would be the second line of defence.
For AnyConnect the licensing is not 100% clear for external users. But the general rule is that the company owning the VPN-gateway needs to make sure these licenses are valid. And this is regardless if they are enforced or not.
Yes, MX64 can work simultaneously as a VPN concentrator and NATranslator.