Backhaul internet breakout to non-meraki VPN peer

Comes here often

Backhaul internet breakout to non-meraki VPN peer

Hi Folks,


Apologies if this has been asked before (sure it has been) - Looking at configuring an MX84 at a branch site which will then VPN back to a central location that has Cisco FTD NG firewalls (lets just say they are ASA's for simplicity just now).


I need to check about what options I have for configuring Internet Access breakout for users behind the Meraki.


Can I back-haul all internet access over the tunnel to the head office Cisco FTD's (I know about the "exit hub" setting in the dashboard - but its not a Meraki at the head office - so I just wanted to be sure this is possible).


Thanks in advance....


Head in the Cloud

Hi Paul,


I understand this shall not be a challenge.


Kindly check the following Url.


Following section is an excerpt from the above Url

Non-Meraki VPN peers

You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

  • A name for the remote device or VPN tunnel.
  • The public IP address of the remote device.
  • The subnets behind the third-party device that you wish to connect to over the VPN. can also be specified to define a default route to this peer.
  • The IPsec policy to use.
  • The preshared secret key (PSK).
  • Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

Note that if an MX is configured with a default route ( to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.


Hi Ajit,


Thanks for the speedy response - kind of exactly what I thought, so thats good.


Next quick question to throw in a little complication....


The branch site we are looking at putting in the Meraki to...they just have a single static public IP address.


Their current setup uses a Zyxel USG310 box which we are looking to replace with the Meraki, on this Zyxel they have configured several NAT (well...PAT) rules to various internal servers on the LAN.


If we replace this Zyxel with the Meraki and stand up the VPN as previously mentioned (backhauling all internet access), would we still be able to apply the PAT rules or would they be over-ridden by the route?


Thanks again




I am not sure as have not tested but considering the MX routing behaviour I believe NAT/PAT shall be over-ridden by the VPN Default route.

Route Priority

Each type of route configured on the MX has a specific priority in comparison with other types of routes. The priority is as follows:

  1. Directly Connected
  2. Client VPN
  3. Static Routes
  4. AutoVPN Routes
  5. Non-Meraki VPN Peers
  6. NAT*

However may be we shall wait for inputs from other community members.

Kind of a big deal
Kind of a big deal

I think this will make the configuration considerably complex.


I would install a second MX next to your FTD box, and use Meraki's AutoVPN to build a full tunnel VPN between them.  The MX next to your FTD could then run all its traffic through the FTD.

In fact, you could run that MX in VPN concentrator mode to make your life simpler.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.