The MX Series Security Appliance and Z1 Teleworker Gateway can be deployed in Passthrough or VPN Concentrator mode. In this mode, it will not perform address translation and acts as a layer 2 bridge between the internet and LAN ports.
When in passthrough mode, the MX/Z1 is best used for in-line:
There are a number of differences in configuration between NAT and passthrough modes on the MX/Z1:
When using an MX or Z1 as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX/Z1. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the internet or other destinations will simply pass through the appliance:
An MX/Z1 in passthrough mode can be configured to perform a number of functions like when in NAT mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed: