Site-to-Site VPN tunnels over private networks

Here to help

Site-to-Site VPN tunnels over private networks

I'm posting here because support hasn't found any documentation yet for a situation we had that I imagine is fairly common.


MX appliance WAN interfaces need Internet access and DNS resolution for their health checks and if doing Auto VPN, connectivity to the cloud hosted VPN registry service. It's a hosted solution, so it's assumed all WAN interfaces have Internet connectivity. The WAN interfaces don't care how they get Internet connectivity, so if they are using private IP addresses you just need a NAT and route out somewhere to get them Internet access. 


We have an MPLS circuit using private IP addressing with no Internet access available. We needed this circuit connected as a WAN interface for SD-WAN. OSPF is also required on the LAN side, so using a LAN interface for the MPLS routing is not an option. The MXs are using Beta code to allow OSPF in NAT mode. Each site has direct Internet access and the MX appliances will be replacing the current firewalls and assuming the NAT responsibilities. The non-MPLS WAN interface is connected to a traditional Internet circuit. 


The solution we have tested successfully uses the MX as it's own NAT device and Internet routing. We inserted a layer 3 switch between the MPLS circuit and the MX WAN interface. Then we provided a default route using the MX LAN IP as the next hop on this device with more specific routes for the MPLS networks. The site-to-site VPN tunnel traffic to other MPLS sites follow the MPLS routes while the WAN interface management traffic gets routed back to the LAN interface of the MX. The MX happily provides a NAT for the management traffic with no issue and the WAN interface with the private IP address now has Internet connectivity. 

2 Replies 2
Kind of a big deal
Kind of a big deal

Very clever.

Just browsing

I have the same situation with the difference that I don't have a dedicated Internet connectivity in my branches, everything gets out of the VPLS link.


I wasn't aware that the MXs NAT until I tried to replace an old 1841 with an MX68.


If I put one MX in my main site as a one legged vpn concentrator, in my branch have the MX internet port connect to the private wan and establish a site-to-site with the main site, does that send the packets untranslated to the main site?




Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.