MX100 Behind ISR4331

Here to help

MX100 Behind ISR4331

Hello All,

I have a Meraki MX100 behind a Cisco ISR4331 and I cannot figure out how to get the Client VPN to work.


The router has a non-routable IP for the WAN side, I have /29 of public IP's. I have the subnet advertised by BGP on the router. I have a private routable for the LAN side of the router and WAN side of the MX100. The first IP address of the public block is NAT'ed to the MX100. I have the rest of the IP's NAT'ed on the MX100 to the network behind it.


Internet --- ISR4331 --- MX100 --- MS250


Although I haven't tested yet I am guess that Point-to-Point VPN's will not work either.

If someone would point me in the right direction I would be most appreciative.

Kind of a big deal
Kind of a big deal

You are better to move your routable IP block so it is between the 4331 and the MX100.


Failing that, if you are using client VPN to the MX100 you need to make sure udp/500 and udp/4500 are NATed through to the MX100 WAN interface IP address.


You wont be able to directly NAT on the ISR4331 to IP addresses behind the MX100.  You will need to NAT (on the ISR4331) to an IP address that is between in the ISR4331 and the MX100, and then NAT again (on the MX100) from that IP address to the final internal IP address.


However like I say, it is a million times simpler if you can just put the public IP address block between the ISR4331 and the MX100.

So my 4331 LAN IP one of the /29? I thought of doing that but don't really want to bleed IP's.


I tried forwarding the UDP ports through the NAT, but it didn't work. The configuration I tried is below.

ip nat inside source static udp 500 X.X.X.X 500

ip nat inside source static udp 4500 X.X.X.X 4500

Yes, so your ISR4331 would have one of the /29 IP addresses.


Try forwarding ESP (which is an IP protocol) as well otherwise.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.