cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
5
Helpful
3
Replies

Cisco Umbrella SIG and 1:1 Nat MX

macdonaldjames
Level 1
Level 1

I was wondering if anyone else has ran into this issue before:

 

We just recently deployed an MX250 pair, along with the deployment of the Umbrella SIG Tunnels for SSL Decrypt among other services. Within this site we are hosting exchange and citrix. The MX holds the 1:1 Nat's. However with the SIG Tunnels active the 1:1 Nat's do not function as intended. We get asymmetric routing. Basically - Traffic comes in fine as expect (Wan1) - However when the server replies the return traffic is being sent out the SIG Tunnel and fails, and user gets page not found. Short from disabling the subnet from the VPN, we are unable to bypass the SIG Tunnels. Disabling isn't an option as this would not allow the subnet to utilize the SSL Decrypt and other policies from SIG.

Thanks in advance.

3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @macdonaldjames,

If I understand you correctly, you actually have a situation in which your traffic from Exchange and Citrix is going via SIG tunnel, while it shouldn't.

Have you checked where default route is taking you? From my standpoint, this is most probably the root cause why your traffic is traversing this way. People from the Internet can reach your servers, because it is non-RFC1918 address, while your MX is routing it back via tunnel, where it has default route, most probably. It looks to me that you'll need to do some PBR, in order to resolve this.

Kind regards,

Milos

Oh The Default Route is certainly taking be over the SIG Tunnels - However the MX doesn't have a way to manipulate this - When SIG is active it overrides everything - Some sort of PBR would be great however to my understanding the MX doesn't support this.

Milos_Jovanovic
VIP Alumni
VIP Alumni

I never used MX, but, by quick searching, I found this article. It is not called Policy-Based Routing, as with standard Cisco equipment, but apparently Source Based Default Routing.

Kind regards,

Milos