Meraki

Community

MX - Client VPN Native Meraki or AnyConnect - CGNAT

Carlos1
Comes here often
yesterday
yesterday

MX - Client VPN Native Meraki or AnyConnect - CGNAT

Hello Team, I hope you can help me with the following question:

 

Our MX record is receiving a dynamic public IP address, meaning we don't have a static public IP address from our ISP. Speaking with the ISP, they have a CGNAT on their end.

 

I've been checking to see if the Meraki or AnyConnect VPN client works with a CGNAT. Has anyone configured it and had it work?

 

I've been researching this and it seems I need to open UDP ports 500/4500 for VPN traffic, but is there anything else I need to do?

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

If your MX is sitting behind a CGNAT connection, then it won't be possible to do a port forward.

 

However, you also mention you have a dynamic public IP address.  Is this public IP address directly on your MX WAN interface, or does the WAN interface have a private IP address on it?

 

If it really is CGNAT:

You would need to look at a SASE option like Cisco SecureConnect (if you have fewer than, say, 75 users) or Cisco Secure Access (if you have more than 75 users).

 

With these options, your VPN terminates in Cisco's cloud and then connects back to your MX via AutoVPN.

 

If the public IP address really is on your MX, then you can use Cisco Secure Client/AnyConnect, and connect to the DDNS name assigned to your MX.  It updates as the dynamic IP address changes.

0 Kudos
In response to PhilipDAth
Carlos1
Comes here often
yesterday
yesterday

I have a public IP address that appears in my MX record, but when I connect my WAN port to the ISP's router, I get an IP address in the 192.168.1.x/24 subnet.

 

Therefore, based on that, I shouldn't be able to use Meraki's secure client.

 

I'll run some tests to see how it goes.

0 Kudos
In response to Carlos1
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

That's weird that they're using an RFC 1918 IP Range for CG-NAT instead of the 100.64.0.0/10 range.

But as @PhilipDAth advised, if you're behind CG-NAT you cannot port forward.

0 Kudos
In response to Brash
KarstenI
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

Not sure about other countries, but in Germany, I see much more RFC1918 than 100.64/10 on the WAN side. They didn't really adapt to that range yet. But most are in the 10-network and not 192.168-network. And 192.168.1.x/24 is really quite unususal as it will too often overlap with the customers internal addresses.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.