Meraki

Community

Multiple S2S VPNs with overlapping subnets — best practice?

Solved
jOMeraki2
Getting noticed
a month ago
a month ago

Multiple S2S VPNs with overlapping subnets — best practice?

Hi everyone,

I need to establish multiple Site-to-Site VPNs with different customers, but they all use the same internal subnet (for example, 192.168.1.0/24).
I only have control over my side of the VPN — I cannot make changes on the customer firewalls.

I’m open to using additional devices on my side if needed, but I mainly want to understand the concept: is it feasible to handle overlapping subnets using NAT per tunnel or any other method?

Also, is this approach possible with Cisco Meraki devices, or would it require other Cisco platforms?

Thanks in advance for any guidance.

Labels:
0 Kudos
1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal
a month ago
a month ago

In Meraki SD-WAN appliances you are only able to translate your internal subnets to avoid overlaps with your own networks.  This feature CAN be used to translate your own also to IPsec peers however the other side must translate it's own subnet if they have to be unique to you.

If this is not a possibility but you still want to use Meraki SD-WAN for your own WAN then you must use another type of device that does support NAT in any direction like a Cisco Secure Firewall, Cisco Secure Router or a third party device.  Then from the Meraki SD-WAN part you can just route to that device for the remote subnets and make that subnet available over the SD-WAN so all your branches can reach it.

View solution in original post

3 Replies 3
Brash
Kind of a big deal
Kind of a big deal
a month ago
a month ago

With Meraki, you can use site-to-site NAT translation. It would need to be enabled by support on your organization.

https://documentation.meraki.com/MX/Design_and_Configure/Configuration_Guides/Site-to-site_VPN/Using...

 

I imagine most vendors would implement something similar for overlapping subnets 

alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Just one question: are you talking about the VPN within the SD-WAN, not a non-Meraki VPN, correct?

If it's a non-Meraki VPN, you can't use NAT on the VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
a month ago
a month ago

In Meraki SD-WAN appliances you are only able to translate your internal subnets to avoid overlaps with your own networks.  This feature CAN be used to translate your own also to IPsec peers however the other side must translate it's own subnet if they have to be unique to you.

If this is not a possibility but you still want to use Meraki SD-WAN for your own WAN then you must use another type of device that does support NAT in any direction like a Cisco Secure Firewall, Cisco Secure Router or a third party device.  Then from the Meraki SD-WAN part you can just route to that device for the remote subnets and make that subnet available over the SD-WAN so all your branches can reach it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.