Meraki

Community

MX auto VPN multiple MX behind same public IP

Solved
kwillacey
Here to help
‎Feb 18 2019 6:42 PM
‎Feb 18 2019 6:42 PM

MX auto VPN multiple MX behind same public IP

Is it a supported configuration to have multiple MX appliances behind a single NAT device with Auto VPN? I have two MXs in a lab environment and it works fine. I am trying to do a quick patch for a customer issue until they get proper links. I don't think the vpn registry should have an issue because each MX would use a different source port even if the public IP is the same.

 

test.jpg

0 Kudos
1 Accepted Solution
MerakiDave
Meraki Employee
Meraki Employee
‎Feb 18 2019 7:23 PM
‎Feb 18 2019 7:23 PM

Yes, if I understand what you described this is supported and should work fine.  I have that type of setup in my own home lab with multiple MX appliances behind he same NAT and all AutoVPN'd together.  The VPN Reg and devices themselves are fully aware of both public and interface addresses and src/dst ports and the tunnels should form without issue.

View solution in original post

6 Replies 6
MerakiDave
Meraki Employee
Meraki Employee
‎Feb 18 2019 7:23 PM
‎Feb 18 2019 7:23 PM

Yes, if I understand what you described this is supported and should work fine.  I have that type of setup in my own home lab with multiple MX appliances behind he same NAT and all AutoVPN'd together.  The VPN Reg and devices themselves are fully aware of both public and interface addresses and src/dst ports and the tunnels should form without issue.

In response to MerakiDave
kwillacey
Here to help
‎Feb 19 2019 6:04 AM
‎Feb 19 2019 6:04 AM

Thanks MeakiDave, just wanted to confirm.

0 Kudos
In response to MerakiDave
Frank-NL
Getting noticed
‎Apr 17 2024 1:15 PM
‎Apr 17 2024 1:15 PM

Hi,

Is this true also when the two internal MX appliances are in different subnets?

I assume in either case there is hairpin NAT necessary on the internet gateway router.

 

Kind regards,

Frank

0 Kudos
In response to Frank-NL
Frank-NL
Getting noticed
‎Apr 17 2024 1:20 PM
‎Apr 17 2024 1:20 PM

Source: https://meraki.cisco.com/blog/2018/06/all-about-autovpn/:

The punch process
The punch process is actually the “client” in a client-server relationship, with the server portion being the “Cisco Meraki VPN Registry.” The VPN Registry is a service independent of the Meraki dashboard, used to register each MX’s public and interface IP addresses. The Registry then uses some simple logic to understand how to route between the various MXs in an organization (in order to create VPN tunnels). Namely:

  • Check for match – If the MX’s public IP and the interface IP match, then the MX in question is directly connected to the internet on that WAN interface
  • No Match – MX WAN circuits with different public IP addresses should route between those public IP addresses directly
  • Route Initiated – If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses

The VPN registry then passes this information to the dashboard.

0 Kudos
In response to Frank-NL
Frank-NL
Getting noticed
‎Apr 17 2024 1:20 PM
‎Apr 17 2024 1:20 PM

I guess I just found the answer:
"If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses"

In response to Frank-NL
cmr
Kind of a big deal
Kind of a big deal
‎Apr 19 2024 6:19 AM
‎Apr 19 2024 6:19 AM

Yes, we do this a lot, we have about twenty MXs that all appear as the same public IP and the SDWAN connections form between the private WAN IP addresses.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.