Meraki

Community

Port Forwarding to Device on Site via Site-to-Site VPN

Solved

Hello Meraki Team / Community,

I have a scenario with two Meraki sites connected via a Site-to-Site VPN:

- Site 1: connected to the Internet, could potentially act as an Exit Hub.
- Site 2: contains a device in its LAN with IP 10.200.133.11 that I need to access from the Internet.

Please note that these two sites are in **different Meraki organizations**.

I know how to set up Port Forwarding on the site where the server resides, but in this scenario, the device is in Site 2. I would like to know if it is possible to:

1. Make Site 1 act as an Exit Hub.
2. Configure Port Forwarding on the WAN interface of Site 1 to reach the device in Site 2 (across the VPN).

I will attach a diagram showing the topology and the expected path for the Port Forwarding.

If direct Port Forwarding over the VPN is not supported, what are the recommended alternatives to achieve the same result?

Thank you for your guidance.

1 Accepted Solution

There is only one way to make this work, and that is to put a reverse proxy at MX site 1.

If you have a Windows machine there, you can use the "netsh interface portproxy" command.
https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portp...

At site one you then PAT to this machine, and this machine will then forward the request to site 2.

View solution in original post

9 Replies 9

Do you have the latitude or leeway to put both MX appliances in the same ORG?

If so, you could then leverage S2S AutoVPN and make S1 the exit hub.

I believe your current configuration would be using NMVPN (IPSec Peer) vs S2S AutoVPN since both MX appliances in different organizations.

Site-to-Site VPN Settings

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Unfortunately, I cannot place both MX appliances in the same organization as they belong to two different companies. However, I do have access to both devices.

Thanks for the response - the S2S AutoVPN would have allowed you to leverage the exit hub as you were wanting to achieve. I'll let others chime in and give their advice. I am not aware of a way to have S1 serve as the exit hub without both MXs using S2S AutoVPN (requiring both MX appliances under Org).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Thanks for the clarification. Since S2S AutoVPN isn’t an option, I wanted to ask specifically about port forwarding — would it be possible to set it up on S1 to achieve similar functionality?

If you were able to leverage S2S AutoVPN (both MXs in the same ORG) it's my belief you wouldn't need any port forwarding in the equation because you could enable the VLAN for the IP you want to share using the S2S AutoVPN. I will refrain from speculating on the port forwarding at S1 for device access on S2. That would be a step outside of my wheelhouse.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

I am and have used the port forwarding for client devices within the incoming MX for local LAN resources from the WWW but not a relay per se situation. The relay from S1 to S2 would be something I've not attempted.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

@alemabrahaomight chime in with an option (work around).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Without both MXs being in the same organization, this is impossible.

There's no way to have the site's hub act as an outbound hub for an MX that doesn't belong to the same organization.

Just as there's no way to create a port forward on the MX at site 1 to access the device at site 2. It's not that port forwarding can't be done via S2S VPN, but in this case, since it will be a non-Meraki VPN, port forwarding isn't possible. Even if it were in SD-WAN, it wouldn't be possible. At most, you could do a VPN Subnet Translation.

In other words, it's not possible to do what you want.

What you might be able to do is install a Linux Strongswan on both sites and establish a S2S VPN between the two servers.

I don't know if it's possible to do this with Strongswan, but I think it's worth looking into.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

There is only one way to make this work, and that is to put a reverse proxy at MX site 1.

If you have a Windows machine there, you can use the "netsh interface portproxy" command.
https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portp...

At site one you then PAT to this machine, and this machine will then forward the request to site 2.

Welcome to the Meraki Community!

To start contributing, simply with your Cisco ID. If you don't yet have a Cisco ID, you can .