Or forward UDP 500 and 4500 through to the MX. 

http://blog.brokennetwork.ca | @jdsilva

Do I forward from the modem or from the Cisco router?

Is the MX sitting behind the modem or the Cisco router? If it's behind the modem then do that in the modem, if it's behind the Cisco do it in the Cisco.

The Client VPN is IPSec based.

It sounds like your 2911 is also running an IPSec VPN.

You can't forward te required ports, because it would break the VPN on the 2911.

This is not a workable situation.

So the only option is to get a separate public ip for the Meraki VPN?

That is the best and most reliable option.

Thanks for all of you guys help. I think getting a public is the simplest solution. 

---

@PhilipDAth wrote:

The Client VPN is IPSec based.

It sounds like your 2911 is also running an IPSec VPN.

 

You can't forward te required ports, because it would break the VPN on the 2911.

 

This is not a workable situation.

---

Shoot., I missed that part. Nice catch @PhilipDAth. 

http://blog.brokennetwork.ca | @jdsilva

Depends on whether that's an outgoing tunnel I guess.

The Client VPN is always inbound.

As soon as you try and NAT udp/500 and udp/4500 through to the MX it would break all IPSec functionality on the 2911 - as any of those packets would get forwarded.

I'm not sure if the 2911 would even let you configure that NAT translation with IPSec configured.

Hmm. He didn't say the vpn on his Cisco is client vpn? In fact he didn't even say it was ipsec?

>Hmm. He didn't say the vpn on his Cisco is client vpn? In fact he didn't even say it was ipsec?

If it was an SSL VPN there would be no issues.  The most probably reason it broke (IMHO) is because it is using the same ports, meaning it is using IPSec also.  I have not idea if the 2911 is using site to site or client VPN, but if it is using IPSec, it really doesn't matter.

Only one thing can process the IPSec UDP ports at a time.