We have a website we use that has a function locked by an IP whitelist at website vendor.
Right now we route their public Ip’s over our VPN so it all seems to come from our HQ watchguard firewall.
So we only have one IP to whitelist across multiple sites currently.
When moving to Meraki and AutoVPN with a vmx in Azure we cannot do this.
VPN concentrator mode has no idea of source nat. And routed mode doesn’t seem to work with local subnets over the VPN.
Has anyone done this and got it working? So far our reseller says put a routed vmx in front of the current one and use it as a default gateway.
Hoping for a better solution. Maybe some craft network setup in azure?
Edit: this is for remote sites running MX’s
You can’t just add that public IP to the list of local subnets on the Azure concentrator?
Can’t you just add your azure vnet nat gateway (the one that routes out to internet) to this whitelist? I’m all for simplicity but it’d be easier to just add a 2nd ip in this case I think.
With a 1 arm mode MX you can’t do what you’re trying to do, they should only be used to access internal resources. If you want to route a public IP over the MX in 1 arm mode, you really need something upstream as your internet edge.
Feels like permit list isn’t really the right solution for what you’re trying to achieve.
Under site to site vpn just mark default route - all connected sites will route thru the default “hub” and thus only need the hub IP whitelisted. But all traffic will be going over the vpn.
You can and then the website never loads on the remote sites. I think this is because the VPN concentrator mode has no concept of source nat. So it’s not routing back or something
Thats what I’m trying to do. But Meraki doesn’t allow public Ip’s to be routed over the vmx AutoVPN and it actually work. When you add the public IP to Meraki local subnets it routes it but nothing happens on the client. Just spins and doesn’t load
Definitely don’t want to route all traffic over the VPN. 300+ sites
oh, yeah. The router upstream of the concentrator has no return path for the subnets on the other end of the VPN. You’d have to run the concentrator in “routed” mode for the MX to NAT the outbound VPN traffic, but I’m not sure if you can run the Azure MX in that mode.
Can you enable dynamic routing in the azure cloud so the MX can use BGP to share its routing table?
I’m not talking about that?
Just have the vendor ips route normally out the internet in the vnet. Add the vnet public ip to the vendor’s whitelist.
But Meraki doesn’t allow public Ip’s to be routed over the vmx AutoVPN and it actually work
This is incorrect. We do this internally for a lot of sites. Meraki doesn’t care if it’s handling public or private IP traffic. Our deployment consists of an AWS vMX with local networks advertising public IPs into autoVPN. Then the AWS route table points default route at a NAT instance. Return traffic routes are installed to point RFC1918 at the vMX. We do this multi region for redundancy.
Packet captures will show you where you have an issue but I’m betting its the return routes are missing and whatever is doing NAT in Azure doesn’t know where to send the return traffic. But probably worth confirming that the client traffic is making it to the vMX as well.
Sorry I think I left out an important point. We have Meraki MX and remote sites. That’s where the routing to vmx has to happen. Nothing in azure. These are physical locations.
I shouldn’t have said doesn’t allow. But doesn’t work. I was thinking something in azure I should be able to do. But I’m not sure what. Can you give me more details of what you did?
I’m not getting then what the vmx has to do with anything? If you’re not using a vnet in azure with the vmx why does it need to be able to route to this vendor?
I assume you have multiple sites with physical Meraki mx. You decide to advertise the vendor ips in your Datacenter so all the remote site mx send the traffic there. Where does the azure vmx fit into this? I thought you had a vnet with a vmx that needed to access the vendor and you were having trouble with that.
I’ll have to check when I’m on my work machine tomorrow. Its been a couple years since I touched it, but its something like the following:
AWS route table sends all traffic to the NAT instance. The NAT instance is configured to NAT any rfc1918. There are several walkthroughs online that can accomplish this. The NAT instance has a local route on the instance to send RFC1918 traffic to the IP of the vMX in passthrough mode. On the vMX, it is in hub mode and advertises the public subnets you want routed into the autoVPN. That traffic from the clients will get default routed to the NAT instance and the return traffic gets directed to the vMX.
It’s not a perfect system but HA is accomplished via duplicating the design in multiple regions. I’ll try to check the terraform tomorrow to see if there is anything missing from the above. At the time the NAT service for AWS did not behave nicely with the autoVPN hence the NAT instance. Azure NAT may work better.
I’ll try to explain. As we are thinking different things it seems.
We are switching firewall vendors to Meraki at our remote locations. Currently we have a website we visit. call it pos.com. on our existing firewalls we can tell it to use the VPN tunnel to HQ to route pos.com
Now pos.com sees traffic from our HQ at 1.2.3.4 instead of the remote sites Internet on 2.3.4.5
With going to Meraki we have deployed a vmx for our VPN tunnels. It’s in VPN concentrator mode. So our remote sites can talk to our azure and HQ env. We also tried adding pos.com’s IP’s to the local subnets list in the vmx. But when we do that pos.com no longer loads.
Say the vmx has public IP 3.4.5.6 so we want the pos.com to see that ip now .
We do have a vnet for the vmx a /29 just to be clear. And a route table attached to our other azure vnets and all those communicate fine.
Hey following up on this, You ever get a chance to check how your system works? I could not get it to work in Azure with their NAT Gateways
I fully understand you want to route pos.com over your SD Wan so everyone goes out the same ip. You just add the ip(s) for pos.com to the list of subnets that HQ mx is advertising on the Sd Wan. The other mx’s will then route traffic to pos.com to HQ
What does the vmx have to do with any of this? “for our vpn tunnels”?? Are you talking SD Wan auto vpn tunnels or something else?
Yes sd wan auto VPN tunnels. There is no HQ MX. We are using vmx for tunneling.
Later we will upgrade HQ to an MX. But our existing firewalls uses it as it’s VPN endpoint.
You don’t need some arbitrary hub vmx why do you even have it? The mx’s can hub together on their own your vmx is doing nothing but costing you money.
Pick a different remote location to centralize this vendor url that has a physical mx. Move it later when you put an mx in hq.