Skip to main content
Cisco Meraki Documentation

Carrier-Grade NAT and Meraki Auto VPN


Many carriers use CG-NAT (Carrier-Grade NAT) within their networks. IANA has recorded the allocation of an IPv4 /10 for use as Shared Address Space. The Shared Address Space address range is (RFC 6598). This is primarily seen on cellular deployments. Because they can use Carrier-Grade NAT to load balance between IPs and it is not a direct NAT, it can end up causing issues with Auto VPN as the IPs/Ports in use will vary.  There are a couple of options that can be implemented to resolve this.


Manual NAT traversal

On the hub-side upstream firewall, configure a manual UDP port and forward this to the Hub's WAN IP (VIP, if in use with HA). This may require the full range of UDP ports 1-65535 to be forwarded.  In this instance, it would be easier to do a 1:1 NAT upstream.


Bypassing CG-NAT

This requires working with the carrier to bypass the CG-NAT. This also requires the MX to obtain its own public IP on the WAN. This may or may not be doable depending on each network's design.


  • Only fixes Cellular to fixed VPNs
  • Cellular MX must be in NAT mode
  • Cellular MX must be a Spoke
  • Fixed MX can either be NAT or One-Armed Concentrator mode
  • Cellular sites can still communicate via the Hub
    • Cellular to Cellular MX cannot communicate directly
  • May require all UDP range 1-65535 to be opened on upstream network (unless you know what range the carrier uses for CG-NAT)