vMX NAT/Routed Mode Operation | VPN-Client Unable To Reach Public Internet

Jon-McEyes
Comes here often

vMX NAT/Routed Mode Operation | VPN-Client Unable To Reach Public Internet

Hi Everyone,

We are looking to use vMX as our main host to remotely connect (using anyconnect) to our corporate resources yet still be able to selectively reach public internet (split-tunnel) via vMX's public ip interface (NAT).

We are using this document as our guide and to understand it's operation
https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ#1._Scaling_Client_VP...

In passthrough mode, vpn clients are able to reach our corporate network but can't hit any public internet. (google, yahoo..etc).

In Routed (NAT) mode, vpn clients is able to reach the internet through vMX's public internet interface but it can't reach the corporate network anymore. Also, all the subnets in the VPN topology can no longer reach vMX's downsteam (local) subnet. From what we have observe, this is "maybe" because vMX stopped advertising it's subnet in the VPN topology if set to Routed mode.

 

The vMX is in AWS public subnet

Need idea how to get these vpn clients be able to reach the internet yet still be able to reach it's corporate network and vMX subnet is still available from the rest of the VPN topology

2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried changing the client routing?

 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Client_Routing

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Jon-McEyes
Comes here often

yes, we already played around that settings. With MX, Passthrough and Routed is working as expected but not in vMX

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels