I have a Meraki MX100 behind a Cisco ISR4331 and I cannot figure out how to get the Client VPN to work.
The router has a non-routable IP for the WAN side, I have /29 of public IP's. I have the subnet advertised by BGP on the router. I have a private routable for the LAN side of the router and WAN side of the MX100. The first IP address of the public block is NAT'ed to the MX100. I have the rest of the IP's NAT'ed on the MX100 to the network behind it.
Internet --- ISR4331 --- MX100 --- MS250
Although I haven't tested yet I am guess that Point-to-Point VPN's will not work either.
If someone would point me in the right direction I would be most appreciative.
You are better to move your routable IP block so it is between the 4331 and the MX100.
Failing that, if you are using client VPN to the MX100 you need to make sure udp/500 and udp/4500 are NATed through to the MX100 WAN interface IP address.
You wont be able to directly NAT on the ISR4331 to IP addresses behind the MX100. You will need to NAT (on the ISR4331) to an IP address that is between in the ISR4331 and the MX100, and then NAT again (on the MX100) from that IP address to the final internal IP address.
However like I say, it is a million times simpler if you can just put the public IP address block between the ISR4331 and the MX100.