Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX auto VPN multiple MX behind same public IP

Solved
kwillacey
Here to help
‎Feb 18 2019 6:42 PM
‎Feb 18 2019 6:42 PM

MX auto VPN multiple MX behind same public IP

Is it a supported configuration to have multiple MX appliances behind a single NAT device with Auto VPN? I have two MXs in a lab environment and it works fine. I am trying to do a quick patch for a customer issue until they get proper links. I don't think the vpn registry should have an issue because each MX would use a different source port even if the public IP is the same.

 

test.jpg

0 Kudos
Subscribe
1 Accepted Solution
MerakiDave
Meraki Employee
Meraki Employee
‎Feb 18 2019 7:23 PM
‎Feb 18 2019 7:23 PM

Yes, if I understand what you described this is supported and should work fine.  I have that type of setup in my own home lab with multiple MX appliances behind he same NAT and all AutoVPN'd together.  The VPN Reg and devices themselves are fully aware of both public and interface addresses and src/dst ports and the tunnels should form without issue.

View solution in original post

Subscribe
5 Replies 5
MerakiDave
Meraki Employee
Meraki Employee
‎Feb 18 2019 7:23 PM
‎Feb 18 2019 7:23 PM

Yes, if I understand what you described this is supported and should work fine.  I have that type of setup in my own home lab with multiple MX appliances behind he same NAT and all AutoVPN'd together.  The VPN Reg and devices themselves are fully aware of both public and interface addresses and src/dst ports and the tunnels should form without issue.

Subscribe
In response to MerakiDave
kwillacey
Here to help
‎Feb 19 2019 6:04 AM
‎Feb 19 2019 6:04 AM

Thanks MeakiDave, just wanted to confirm.

0 Kudos
Subscribe
In response to MerakiDave
Frank-NL
Getting noticed
yesterday
yesterday

Hi,

Is this true also when the two internal MX appliances are in different subnets?

I assume in either case there is hairpin NAT necessary on the internet gateway router.

 

Kind regards,

Frank

0 Kudos
Subscribe
In response to Frank-NL
Frank-NL
Getting noticed
yesterday
yesterday

Source: https://meraki.cisco.com/blog/2018/06/all-about-autovpn/:

The punch process
The punch process is actually the “client” in a client-server relationship, with the server portion being the “Cisco Meraki VPN Registry.” The VPN Registry is a service independent of the Meraki dashboard, used to register each MX’s public and interface IP addresses. The Registry then uses some simple logic to understand how to route between the various MXs in an organization (in order to create VPN tunnels). Namely:

  • Check for match – If the MX’s public IP and the interface IP match, then the MX in question is directly connected to the internet on that WAN interface
  • No Match – MX WAN circuits with different public IP addresses should route between those public IP addresses directly
  • Route Initiated – If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses

The VPN registry then passes this information to the dashboard.

0 Kudos
Subscribe
In response to Frank-NL
Frank-NL
Getting noticed
yesterday
yesterday

I guess I just found the answer:
"If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses"

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.