Meraki

Community

How to allow VPN traffic in from WAN on both sides?

Solved
2000plusone
Conversationalist
‎May 15 2025 10:45 AM
‎May 15 2025 10:45 AM

How to allow VPN traffic in from WAN on both sides?

2x MX68 with AutoVPN are connected.
Each one is behind a NAT. I don't want to disturb the existing networks and put clients behind MX. But I do need to jump into the tunnel from both sides. Effectively, it's "Internet" traffic getting into WAN interface and routing into the tunnel. But it's just upstream LAN traffic. I can't figure out how to set this up.
1MX - WAN 192.168.1.26 (upstream gateway's LAN), LAN - 192.168.26.1 - no clients here.
2MX - WAN 192.168.4.26 (upstream gateway's LAN), LAN - 192.168.27.1 - no clients here.

I need 192.168.1.0 and 192.168.4.0 to talk. This is only needed a for a couple of clients, so I can set static routes on them, if necessary, to get to the VPN. In fact, I have this setup already, but MXs don't let packets through. I haven't been able to figure out what happens with them.
I can put static routes into upstream gateways, too, if needed.

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2025 1:40 PM
‎May 15 2025 1:40 PM

You need to use VPN concentrator mode.  192.168.26.0/24 and 192.168.27.0/24 would cease to exist.  You would only have 192.168.1.0/24 and 192.168.4.0/24 in play.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

With this only the WAN port is used on the MX.  On your existing NAT device, you simply add a static route pointing to the MX for the remote subnets.

There are no changes to the clients or where they plug into the network.

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
‎May 15 2025 10:51 AM
‎May 15 2025 10:51 AM

I believe you just need to activate auto VPN.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
‎May 15 2025 11:01 AM
‎May 15 2025 11:01 AM

Communication is only between LAN and WAN are used to establish the tunnel.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2025 1:40 PM
‎May 15 2025 1:40 PM

You need to use VPN concentrator mode.  192.168.26.0/24 and 192.168.27.0/24 would cease to exist.  You would only have 192.168.1.0/24 and 192.168.4.0/24 in play.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

With this only the WAN port is used on the MX.  On your existing NAT device, you simply add a static route pointing to the MX for the remote subnets.

There are no changes to the clients or where they plug into the network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.