PAT on Meraki MX?

Getting noticed

PAT on Meraki MX?

Is it possible to configure port address translation for incoming traffic from a site to site VPN? I would like incoming traffic from the peer site to translate to the inside LAN interface of the Meraki MX.



Kind of a big deal

Yes you can do 1:Many NAT on Site to site VPN, have a look on below link and check for 1-to-many (1:M) VPN NAT there


Cisco IT Blogs awarded in 2020 & 2021

I see this "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."


So it will not work for a site to site vpn between a meraki and non meraki peer?


That sucks if that's the case. 



Kind of a big deal

@hmc250000, unfortunately the answer here is no. The only NAT you can do on site-to-site VPN is the one linked to by Inderdeep, and this is intended for when you have spoke sites which have overlapping IP address ranges. (It’s a 1:1 NAT and not a PAT).


What are you trying to achieve/what’s the problem? Maybe there is another way to get the outcome you require with the Meraki solution.

We have overlapping ip ranges for a site to site VPN with an external partner.


And by the way I do not see the option to enable VPN subnet translation (only VPN on or VPN off). However AutoVPN is already enabled. 

Kind of a big deal

It will only work with Meraki peers, it doesn't work with non-Meraki peers. If you want it enabled you have to contact support, then you'll see the option to enable it if needed.

Meraki Employee

Actually, subnet translation might work on non-Meraki VPN, but it's not supported.   I had a customer try this, a few years back, despite it not being officiallly supported - and it apparently worked.   I discovered later that they'd stopped using the feature, but without any feedback, unfortunately.


As someone else asked, it would be good to understand the use case.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.