Vmx in Nat Mode - not routing over vpn tunnel correctly

New here

Vmx in Nat Mode - not routing over vpn tunnel correctly



I am using a vmx in AWS in nat mode.


So MX -> VMX -> AWS Subnets


It seems that any traffic that has it source ip from a subnet defined as a static route and is enabled in vpn does not get routed back by the vmx over the site2site tunnel but egresses over the wan / internet interface.




VMX - advertises  (via static route)

MX advertises

both are seen in the site-2-site as local networks / remote vpn participants


so i ping from -> it gets natted over the interface using the public ip. 

I was assuming any IP destination for a subnet in the vpn would be sent over the vpn tunnel and not natted out as being external to vpn.


This seems incorrect for me.


Can anyone confirm this behaviour as being correct ?



Kind of a big deal

That is not the correct behaviour.  Normal operation is no NAT for traffic flowing over AutoVPN as long as both the source and destination subnet are included in AutoVPN.


If only a single subnet is included in AutoVPN, then NAT is used for the subnet not included, but this still flows over AutoVPN.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.