vMX100 and Azure 0.0.0.0/0 route.

Azamat
Comes here often

vMX100 and Azure 0.0.0.0/0 route.

Hello everyone, I hope you guys can help me. I'm really desperate on this

 

We are using vmx 100 as a one-armed concentrator in our production environment, I have successfully deployed an appliance in a full mesh topology, created a route table and able to reach all our branch offices in site-to-site VPN. 

 

By default when you create a route table in Azure the Internet traffic is going through the azure backbone, but

We would like to route all of our internet traffic out via a single IP which is our Meraki vMX 100. In Azure Route Table, I have created a new route (0.0.0.0/0) with the next hop type set to the virtual appliance 10.100.0.4. Well at this point everything works except I cant browse the internet. I can nslookup google.com, ping google.com 8.8.8.8 but unable to surf the internet. vmx.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Please help me

Thanks

 

12 Replies 12
jdsilva
Kind of a big deal


@Azamat wrote:

 In Azure Route Table, I have created a new route (0.0.0.0/0) with the next hop type set to the virtual appliance 10.100.0.4.

 


Have you added a route on the vMX back to to the Azure subnets?

Azamat
Comes here often

hi @jdsilva  how do I add a route on the vMX100?

sds.PNG

 

 

 

 

 

 

 

 

 

 

 

 

 

Thanks

jdsilva
Kind of a big deal

Static routes are configured on the Security & SD-WAN > Addressing and VLANs page.

Azamat
Comes here often

hi @jdsilva FYI in vmx 100 Addressing and VLANs page doesn't exist

 

Screenshot 2019-08-27 at 19.44.12.png

 

 

 

 

 

 

 

 

 

 

 

thanks

Happiman
Building a reputation

Can you ping URLs, such as, www.google.com  or www.vmware.com 

 

image.png

 

If you can, could you run tracetcp to verify which hop is broken? 

tracetcp will trace the tcp port as tracert does on ICMP.

 

image.png

Azamat
Comes here often

hi @Happiman 

yes I can ping www.google.com and www.vmware.com

1.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

however, tracert  and tracetcp give me the following output 2.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

do you have any idea why ?

Thanks!

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think this should work.

 

The VMX is a VPN concentrator.  It doesn't do NAT.

 

And to the best of my knowledge, Azure will only do NAT for subnets located in Azure and not remote subnets - so that remote networks can't use Azure for Internet access.

Amazon AWS also imposes the same restriction.

 

To make this work you would need to configure a proxy server or an additional machine to be a NAT gateway (which I think in Azure would be really difficult).

 

 

You need to let your branches access the Internet directly via their MX(s) rather than via Azure.

Azamat
Comes here often

hi @PhilipDAth , please look at this article http://vmusketeers.com/2019/04/23/routing-from-a-single-public-ip-with-azure-firewall/ this guy has done it with Azure firewall. Is it possible with vMX100 ? my branches can access the internet via mx84, the problem is with my Azure vms, they cannot surf the Internet. 

Thanks

Happiman
Building a reputation

@Azamat 

 

the website mentions that 

 

image.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes that klooks like it would work.  You just need something that can do NATing for you.

ISAdmin
Here to help

So we have a very similar setup.  We have a vmx100 in Azure.  We have a route table that is tied to the nsg and the route table has the 0.0.0.0/0 route pointed to the vmx100 internal IP which allows us to route all machines tied to the nsg back to our companies primary internet drain and that works, however - I can not get an internal azure IP tied to this nsg to NAT back out externally to our primary firepower that is tied to our public IPs that we want to use.  This is super frustrating.  Either I am missing something or this is just not supported my Meraki or Azure?  I have had Meraki look at this and Cisco TAC and both agree we see everything passing inbound all the way to our Azure vmx100 interface on the site to site vpn but we never see any return traffic.  So either Meraki is attempting to pass this out the public ip of the vmx100 (no packets are captured on this interface either) or azure is not able to accommodate this type of routing when an internal IP is attempting to go back out to a certain public IP that live out in the great big world.  Super Frustrated!!

 

Edit - We do NOT want to use Azure Firewall!

PhilipDAth
Kind of a big deal
Kind of a big deal

The VMX100 would need to be running a full tunnel have to your DC to make that work.  Is that the case?

 

Have you thought about getting a virtual Firepower for Azure?

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/azure/ftdv-azure-qsg.html#:~:te... 

Get notified when there are additional replies to this discussion.