Meraki

Community

Port forwarding from MX1 to device behind MX2 (same organization, Auto VPN)

Solved
jOMeraki2
Getting noticed
‎Oct 21 2025 4:58 AM
‎Oct 21 2025 4:58 AM

Port forwarding from MX1 to device behind MX2 (same organization, Auto VPN)

I have two MX devices (MX1 and MX2) in the same organization connected via Auto VPN.
MX1 is configured as the default route (exit hub) for MX2.

I’d like to know if it’s possible to create a port forwarding rule on MX1 that forwards traffic to a device located behind MX2.

Example setup:

MX1 (main site, default route)

MX2 (branch site, connected via Auto VPN)

I want to forward a specific port from MX1’s public IP to a private IP behind MX2.

Is this supported, or should the port forwarding be configured only on MX2’s WAN directly?
Any best practices or workarounds would be appreciated.

Labels:
0 Kudos
1 Accepted Solution
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 21 2025 5:35 AM
‎Oct 21 2025 5:35 AM

Unfortunately no, the MX only supports configuring a port-forward to a locally configured VLAN, you cannot configure a port forward for an AutoVPN destination, you'll get the following error:

 

 

Invalid port forwarding rule: The IP address 172.20.10.10 is not on a configured subnet.

 

View solution in original post

5 Replies 5
jimmyt234
Head in the Cloud
‎Oct 21 2025 5:23 AM
‎Oct 21 2025 5:23 AM

Solved: Port Forwarding to Device on Site via Site-to-Site VPN - The Meraki Community

 

Is this any different to the time you asked previously?

In response to jimmyt234
jOMeraki2
Getting noticed
‎Oct 21 2025 8:18 AM
‎Oct 21 2025 8:18 AM

Yes, it is different. In this case, I am dealing with two devices within the same organization, and they are connected via Auto VPN, unlike the previous instance.

0 Kudos
In response to jOMeraki2
jimmyt234
Head in the Cloud
‎Oct 21 2025 8:22 AM
‎Oct 21 2025 8:22 AM

Fair enough - my apologies 😊

0 Kudos
MarcP
Kind of a big deal
‎Oct 21 2025 5:29 AM
‎Oct 21 2025 5:29 AM

As far as I know, port forwarding does not work through auto-vpn.

At least in the past, when I tried it - long time ago.

 

Maybe you got a public IP/dyndns on MX2 site and you can configure it like this.

0 Kudos
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Oct 21 2025 5:35 AM
‎Oct 21 2025 5:35 AM

Unfortunately no, the MX only supports configuring a port-forward to a locally configured VLAN, you cannot configure a port forward for an AutoVPN destination, you'll get the following error:

 

 

Invalid port forwarding rule: The IP address 172.20.10.10 is not on a configured subnet.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.