S2S vpn overlapping subnets - Nat Lan to outside interface

Getting noticed

S2S vpn overlapping subnets - Nat Lan to outside interface

When setting up a site to site VPN with overlapping subnets can you NAT the an internal subnet to the outside interface (or a single public ip address) of the MX appliance on both sides of the VPN (other side is a non Meraki peer)?  Like PAT overloading or many to 1 Natting. Is this possible? > NAT to outside interface ----Internet-----NAT to outside interface <

Building a reputation

Hi, not exactly as you described but somehow similar, is possible, however this will only work with Meraki Auto-VPN. According to documentation, this feature will not work with Non-meraki peers. 




Thanks. I do see the source address and source natted address. Where are the destination address and destination natted address defined? 

Kind of a big deal

@hmc250000 : Check this one 



Cisco IT Blogs awarded in 2020 & 2021
Building a reputation

Actually, since this is for Auto VPN only, there is no need to define destination addresses.

You only do source NAT, the other end do its own source nat and those subnets should be advertised in the routing table. -> translate to -> talk to -> <- translate to


If you want to have 1:Many source nat, the Port forwarding and NAT might be an option, but I doubt they will source traffic from s2s vpn interface. They are designed by default to source traffic from WAN interfaces.

Therefore, this is is more like to work when you have multiple sites with same IP range connected to a VPN HUB which will only initiate communication with the networks behind HUB but not between them, or networks behind hub will not be able to initiate communication with them.

Forgot to ask, would this work with Meraki MX in a different Organization? 

Building a reputation

No, this will not work.

Two Meraki MXes in different organizations can establish site to site VPN only as Non-Meraki peers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.