Meraki

Community

Non-meraki with NAT

Solved
timmyver
Comes here often
Monday
Monday

Non-meraki with NAT

Hey everybody,

 

i have a hub and spoke setup with full-mesh over 4 different sites now we need a Non-meraki vpn to a customer  site.

So replacing it with an MX is not option. Configuring it with a Non-meraki firewall is not a problem but then i would need connectivity from all the spokes to the non-meraki and the non-meraki needs to be NAtted. Because there current range is already used in our environment. 

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

I have previously handled this case by deploying StrongSwan on a virtual Ubuntu instance.  Not the best solution and a bit complicated.

 

I have also had customers deploy virtual ASAs for site-to-site VPNs (in a Meraki environment).

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
Monday
Monday

It is not possible to configure NAT for a non-Meraki VPN.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Mloraditch
Kind of a big deal
Monday
Monday

You have stated full mesh but also said hub and spoke so just to be sure, If you are using the term spoke in a Meraki VPN sense, Spokes can not connect to 3rd party VPNs. In order for all your sites to connect without introducing more gear, every site would have to be a hub and have a public ip. Your environment sounds small enough that that should be ok.

 

Any natting of the other VPN device would have to be done on that device. As @alemabrahao states.


Here is the general guide to 3rd party vpns: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
timmyver
Comes here often
Monday
Monday

Hey, it's a full mesh setup to be clear. so yes all sites are hubs.

To connection to the remote site works, but it's a matter of letting the other hubs route everything over the one hub in azure. That way we only need one VPN connection to the customers site.

i don't see anywhere it's not supported, but i also don't have the option eanble the VPN NAT, although there should be an option to set 'VPN subnet translation' enabled

0 Kudos
In response to timmyver
alemabrahao
Kind of a big deal
Monday
Monday

Although it is not in the document, it is not actually supported and, as stated, the non-Meraki VPN does not participate in SD-WAN routing.

In other words, it is not possible to do what you want. Unfortunately, the non-Meraki VPN is limited.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to timmyver
alemabrahao
Kind of a big deal
Monday
Monday

And for SD-WAN you must ask Meraki support to enable the feature.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

I have previously handled this case by deploying StrongSwan on a virtual Ubuntu instance.  Not the best solution and a bit complicated.

 

I have also had customers deploy virtual ASAs for site-to-site VPNs (in a Meraki environment).

In response to PhilipDAth
alemabrahao
Kind of a big deal
Monday
Monday

I've had to do the same for some clients.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
timmyver
Comes here often
Tuesday
Tuesday

Thanks for the answers. 
I will long to test the StrongSwan solution.

although i find i a bit of pity that the product is so limited.

I can't do outbound NAT(function as a Internet Gateway).

I can't do NAT on external VPN or work as a VPN concentrator. 

 

So to be honest i don't see a lot of added value in deploying a VMX to Azure instead of VPN Gateway or StrongSwan. 

In a small environment, i have another customer with 140 sites, that's different story off-course. 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.