Home > Security Appliances > Networks and Routing > Passthrough Mode on the MX Security Appliance and Z1 Teleworker Gateway

Passthrough Mode on the MX Security Appliance and Z1 Teleworker Gateway

The MX Series Security Appliance and Z1 Teleworker Gateway can be deployed in Passthrough or VPN Concentrator mode. In this mode, it will not perform address translation and acts as a layer 2 bridge between the internet and LAN ports. 

When in passthrough mode, the MX/Z1 is best used for in-line:

  • Layer 3/7 firewall rules, traffic shaping, and analysis
  • Network asset discovery and reporting
  • Intrusion detection
  • Security and content filtering
  • Client and site-to-site VPN

Configuration Differences

There are a number of differences in configuration between NAT and passthrough modes on the MX/Z1:

  • LAN 2 cannot be configured as Internet 2. Thus Configure > Traffic shaping > Uplink configuration only has the option for limiting speed on Internet 1.
  • Site-to-site VPN can only operate in split-tunnel mode. Traffic bound to VPN subnets must be directed to the MX/Z1.
  • DHCP is no longer available. DHCP requests will simply pass through the MX/Z1.
  • Cellular uplink is no longer available.
  • VLANs cannot be configured. The MX/Z1 will act as a bridge between the internet and LAN ports.

Considerations for VPN and Other Features

When using an MX or Z1 as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX/Z1. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the internet or other destinations will simply pass through the appliance:

 

An MX/Z1 in passthrough mode can be configured to perform a number of functions like when in NAT mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as needed:

Additional Resources

For details on how to configure IDS, traffic shaping, content filtering, security filtering, warm spare, and other MX/Z1 functions, please visit the MX Series Configuration Guide.

You must to post a comment.
Last modified
13:01, 16 Feb 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1501

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case