Meraki

Community

Site-to-Site VPN Between Two Different Locations Using the Same Subnet

overblower
Just browsing
Monday
Monday

Site-to-Site VPN Between Two Different Locations Using the Same Subnet

I want to create two different networks for two different cities. Each city will use the same security appliance (MX75).

City 1: They already use the subnet 143.161.64.X.
Example:

  • City1 SCADA SERVER-A IP: 143.161.64.16

  • City1 SCADA SERVER-B IP: 143.161.64.17

City 2: They also use the same subnet 143.161.64.X.
Example:

  • City2 SCADA SERVER-A IP: 143.161.64.216

  • City2  SCADA SERVER-B IP: 143.161.64.217

 

We want to connect a specific laptop to City 1, and it should use the IP address 143.161.64.50.
This laptop should also be able to ping servers located in both City1  and City2.

When I try to configure this, I get the error:
"The VLAN subnet 143.161.64.0/24 conflicts with a remote VPN subnet on the network City1 (143.161.64.0/24)."

I do not want to change the subnet in either city.

Could you please support me in this case?
Thank you in advance.

Labels:
0 Kudos
5 Replies 5
Shubh3738
A model citizen
Monday
Monday

MX appliances cannot build VPN tunnels between sites that advertise overlapping subnets.

This is why the Meraki Dashboard shows the error:
“The VLAN subnet 143.161.64.0/24 conflicts with a remote VPN subnet.

0 Kudos
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Tuesday
Tuesday

The closest thing you could do is Site to Site VPN Translation.

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

Note:  When configuring VPN subnet translation for a local subnet that exists in multiple locations, the duplicated subnet must be translated at each network that is configured to allow VPN access.

 
In response to ConnorL
overblower
Just browsing
Tuesday
Tuesday

According to the link, I should do the following steps:

  1. Go to Security & SD-WAN > Configure > Site-to-site VPN.

  2. Turn on VPN subnet translation. This will make a new VPN subnet column appear for the local networks.

But the "VPN Subnet Translation" option mentioned in step 2 does not appear on the page.

 
 
 
0 Kudos
In response to overblower
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Tuesday
Tuesday

As per the KB:

Note: The features described in this article must be enabled by Cisco Meraki Support.

 
Please open a Support ticket to request this feature.
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

I feel your pain.  I am going to suggest a completely different solution.

 

  • 1. Have the user use client VPN to connect to the site they want to work on.  They can work on either site, but one one at a time.
  • 2. Deploy a "jump host" at City2 (such as a Windows virtual machine).  Have them install all their SCADA software there.  Have them RDP to that host when needing to work in City2.
    • You can put that jump host in new VLAN (at City2) that does not have overlapping IP addresses, and build an AutoVPN to that.
    • Have them use client VPN to access it.
    • Or; last choice, nat a public IP address through to it, limit that NAT entry to the public IP address used by City1, and have them RDP to that.

 

Bonus points when using a jump host is to limit SCADA access to only from that jump host, and then deploy something like Duo MFA to secure the jump host (this also provides comprehensive audit logs of access).

 

I have setup a really strict "life or death" control environment before, and we added an extra step in that the account used to access the SCADA jump host was normally disabled.  Any changes had to be approved.  Once approved, the account was enabled at the nominated time and was set to disable automatically once the time had expired.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.